1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
|
<!DOCTYPE html>
<html lang="en" data-content_root="../">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Troubleshooting — MIT Kerberos Documentation</title>
<link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" />
<link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" />
<link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" />
<script src="../_static/documentation_options.js?v=6dbce55c"></script>
<script src="../_static/doctools.js?v=888ff710"></script>
<script src="../_static/sphinx_highlight.js?v=dc90522c"></script>
<link rel="author" title="About these documents" href="../about.html" />
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="copyright" title="Copyright" href="../copyright.html" />
<link rel="next" title="Advanced topics" href="advanced/index.html" />
<link rel="prev" title="Environment variables" href="env_variables.html" />
</head><body>
<div class="header-wrapper">
<div class="header">
<h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
<div class="rel">
<a href="../index.html" title="Full Table of Contents"
accesskey="C">Contents</a> |
<a href="env_variables.html" title="Environment variables"
accesskey="P">previous</a> |
<a href="advanced/index.html" title="Advanced topics"
accesskey="N">next</a> |
<a href="../genindex.html" title="General Index"
accesskey="I">index</a> |
<a href="../search.html" title="Enter search criteria"
accesskey="S">Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Troubleshooting">feedback</a>
</div>
</div>
</div>
<div class="content-wrapper">
<div class="content">
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<section id="troubleshooting">
<span id="troubleshoot"></span><h1>Troubleshooting<a class="headerlink" href="#troubleshooting" title="Link to this heading">¶</a></h1>
<section id="trace-logging">
<span id="id1"></span><h2>Trace logging<a class="headerlink" href="#trace-logging" title="Link to this heading">¶</a></h2>
<p>Most programs using MIT krb5 1.9 or later can be made to provide
information about internal krb5 library operations using trace
logging. To enable this, set the <strong>KRB5_TRACE</strong> environment variable
to a filename before running the program. On many operating systems,
the filename <code class="docutils literal notranslate"><span class="pre">/dev/stdout</span></code> can be used to send trace logging output
to standard output.</p>
<p>Some programs do not honor <strong>KRB5_TRACE</strong>, either because they use
secure library contexts (this generally applies to setuid programs and
parts of the login system) or because they take direct control of the
trace logging system using the API.</p>
<p>Here is a short example showing trace logging output for an invocation
of the <a class="reference internal" href="../user/user_commands/kvno.html#kvno-1"><span class="std std-ref">kvno</span></a> command:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">env</span> <span class="n">KRB5_TRACE</span><span class="o">=/</span><span class="n">dev</span><span class="o">/</span><span class="n">stdout</span> <span class="n">kvno</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">KRBTEST</span><span class="o">.</span><span class="n">COM</span>
<span class="p">[</span><span class="mi">9138</span><span class="p">]</span> <span class="mf">1332348778.823276</span><span class="p">:</span> <span class="n">Getting</span> <span class="n">credentials</span> <span class="n">user</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> <span class="o">-></span>
<span class="n">krbtgt</span><span class="o">/</span><span class="n">KRBTEST</span><span class="o">.</span><span class="n">COM</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> <span class="n">using</span> <span class="n">ccache</span>
<span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">me</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">build</span><span class="o">/</span><span class="n">testdir</span><span class="o">/</span><span class="n">ccache</span>
<span class="p">[</span><span class="mi">9138</span><span class="p">]</span> <span class="mf">1332348778.823381</span><span class="p">:</span> <span class="n">Retrieving</span> <span class="n">user</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> <span class="o">-></span>
<span class="n">krbtgt</span><span class="o">/</span><span class="n">KRBTEST</span><span class="o">.</span><span class="n">COM</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> <span class="kn">from</span>
<span class="nn">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">me</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">build</span><span class="o">/</span><span class="n">testdir</span><span class="o">/</span><span class="n">ccache</span> <span class="k">with</span> <span class="n">result</span><span class="p">:</span> <span class="mi">0</span><span class="o">/</span><span class="n">Unknown</span> <span class="n">code</span> <span class="mi">0</span>
<span class="n">krbtgt</span><span class="o">/</span><span class="n">KRBTEST</span><span class="o">.</span><span class="n">COM</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> <span class="n">kvno</span> <span class="o">=</span> <span class="mi">1</span>
</pre></div>
</div>
</section>
<section id="list-of-errors">
<h2>List of errors<a class="headerlink" href="#list-of-errors" title="Link to this heading">¶</a></h2>
<section id="frequently-seen-errors">
<h3>Frequently seen errors<a class="headerlink" href="#frequently-seen-errors" title="Link to this heading">¶</a></h3>
<ol class="arabic simple">
<li><p><a class="reference internal" href="#init-creds-etype-nosupp"><span class="std std-ref">KDC has no support for encryption type while getting initial credentials</span></a></p></li>
<li><p><a class="reference internal" href="#cert-chain-etype-nosupp"><span class="std std-ref">credential verification failed: KDC has no support for encryption type</span></a></p></li>
<li><p><a class="reference internal" href="#err-cert-chain-cert-expired"><span class="std std-ref">Cannot create cert chain: certificate has expired</span></a></p></li>
</ol>
</section>
<section id="errors-seen-by-admins">
<h3>Errors seen by admins<a class="headerlink" href="#errors-seen-by-admins" title="Link to this heading">¶</a></h3>
<ol class="arabic simple" id="prop-failed-start">
<li><p><a class="reference internal" href="#kprop-no-route"><span class="std std-ref">kprop: No route to host while connecting to server</span></a></p></li>
<li><p><a class="reference internal" href="#kprop-con-refused"><span class="std std-ref">kprop: Connection refused while connecting to server</span></a></p></li>
<li><p><a class="reference internal" href="#kprop-sendauth-exchange"><span class="std std-ref">kprop: Server rejected authentication (during sendauth exchange) while authenticating to server</span></a></p></li>
</ol>
<hr class="docutils" id="prop-failed-end" />
<section id="kdc-has-no-support-for-encryption-type-while-getting-initial-credentials">
<span id="init-creds-etype-nosupp"></span><h4>KDC has no support for encryption type while getting initial credentials<a class="headerlink" href="#kdc-has-no-support-for-encryption-type-while-getting-initial-credentials" title="Link to this heading">¶</a></h4>
</section>
<section id="credential-verification-failed-kdc-has-no-support-for-encryption-type">
<span id="cert-chain-etype-nosupp"></span><h4>credential verification failed: KDC has no support for encryption type<a class="headerlink" href="#credential-verification-failed-kdc-has-no-support-for-encryption-type" title="Link to this heading">¶</a></h4>
<p>This most commonly happens when trying to use a principal with only
DES keys, in a release (MIT krb5 1.7 or later) which disables DES by
default. DES encryption is considered weak due to its inadequate key
size. If you cannot migrate away from its use, you can re-enable DES
by adding <code class="docutils literal notranslate"><span class="pre">allow_weak_crypto</span> <span class="pre">=</span> <span class="pre">true</span></code> to the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>
section of <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>.</p>
</section>
<section id="cannot-create-cert-chain-certificate-has-expired">
<span id="err-cert-chain-cert-expired"></span><h4>Cannot create cert chain: certificate has expired<a class="headerlink" href="#cannot-create-cert-chain-certificate-has-expired" title="Link to this heading">¶</a></h4>
<p>This error message indicates that PKINIT authentication failed because
the client certificate, KDC certificate, or one of the certificates in
the signing chain above them has expired.</p>
<p>If the KDC certificate has expired, this message appears in the KDC
log file, and the client will receive a “Preauthentication failed”
error. (Prior to release 1.11, the KDC log file message erroneously
appears as “Out of memory”. Prior to release 1.12, the client will
receive a “Generic error”.)</p>
<p>If the client or a signing certificate has expired, this message may
appear in <a class="reference internal" href="#trace-logging">trace_logging</a> output from <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> or, starting in
release 1.12, as an error message from kinit or another program which
gets initial tickets. The error message is more likely to appear
properly on the client if the principal entry has no long-term keys.</p>
</section>
<section id="kprop-no-route-to-host-while-connecting-to-server">
<span id="kprop-no-route"></span><h4>kprop: No route to host while connecting to server<a class="headerlink" href="#kprop-no-route-to-host-while-connecting-to-server" title="Link to this heading">¶</a></h4>
<p>Make sure that the hostname of the replica KDC (as given to kprop) is
correct, and that any firewalls between the primary and the replica
allow a connection on port 754.</p>
</section>
<section id="kprop-connection-refused-while-connecting-to-server">
<span id="kprop-con-refused"></span><h4>kprop: Connection refused while connecting to server<a class="headerlink" href="#kprop-connection-refused-while-connecting-to-server" title="Link to this heading">¶</a></h4>
<p>If the replica KDC is intended to run kpropd out of inetd, make sure
that inetd is configured to accept krb5_prop connections. inetd may
need to be restarted or sent a SIGHUP to recognize the new
configuration. If the replica is intended to run kpropd in standalone
mode, make sure that it is running.</p>
</section>
<section id="kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server">
<span id="kprop-sendauth-exchange"></span><h4>kprop: Server rejected authentication (during sendauth exchange) while authenticating to server<a class="headerlink" href="#kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server" title="Link to this heading">¶</a></h4>
<p>Make sure that:</p>
<ol class="arabic simple">
<li><p>The time is synchronized between the primary and replica KDCs.</p></li>
<li><p>The master stash file was copied from the primary to the expected
location on the replica.</p></li>
<li><p>The replica has a keytab file in the default location containing a
<code class="docutils literal notranslate"><span class="pre">host</span></code> principal for the replica’s hostname.</p></li>
</ol>
</section>
</section>
</section>
</section>
<div class="clearer"></div>
</div>
</div>
</div>
</div>
<div class="sidebar">
<h2>On this page</h2>
<ul>
<li><a class="reference internal" href="#">Troubleshooting</a><ul>
<li><a class="reference internal" href="#trace-logging">Trace logging</a></li>
<li><a class="reference internal" href="#list-of-errors">List of errors</a><ul>
<li><a class="reference internal" href="#frequently-seen-errors">Frequently seen errors</a></li>
<li><a class="reference internal" href="#errors-seen-by-admins">Errors seen by admins</a><ul>
<li><a class="reference internal" href="#kdc-has-no-support-for-encryption-type-while-getting-initial-credentials">KDC has no support for encryption type while getting initial credentials</a></li>
<li><a class="reference internal" href="#credential-verification-failed-kdc-has-no-support-for-encryption-type">credential verification failed: KDC has no support for encryption type</a></li>
<li><a class="reference internal" href="#cannot-create-cert-chain-certificate-has-expired">Cannot create cert chain: certificate has expired</a></li>
<li><a class="reference internal" href="#kprop-no-route-to-host-while-connecting-to-server">kprop: No route to host while connecting to server</a></li>
<li><a class="reference internal" href="#kprop-connection-refused-while-connecting-to-server">kprop: Connection refused while connecting to server</a></li>
<li><a class="reference internal" href="#kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server">kprop: Server rejected authentication (during sendauth exchange) while authenticating to server</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<br/>
<h2>Table of contents</h2>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li>
<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li>
<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Troubleshooting</a></li>
<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
</ul>
<br/>
<h4><a href="../index.html">Full Table of Contents</a></h4>
<h4>Search</h4>
<form class="search" action="../search.html" method="get">
<input type="text" name="q" size="18" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<div class="clearer"></div>
</div>
</div>
<div class="footer-wrapper">
<div class="footer" >
<div class="right" ><i>Release: 1.22.1</i><br />
© <a href="../copyright.html">Copyright</a> 1985-2025, MIT.
</div>
<div class="left">
<a href="../index.html" title="Full Table of Contents"
>Contents</a> |
<a href="env_variables.html" title="Environment variables"
>previous</a> |
<a href="advanced/index.html" title="Advanced topics"
>next</a> |
<a href="../genindex.html" title="General Index"
>index</a> |
<a href="../search.html" title="Enter search criteria"
>Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Troubleshooting">feedback</a>
</div>
</div>
</div>
</body>
</html>
|
