1*7f2fe78bSCy Schubert.. _troubleshoot: 2*7f2fe78bSCy Schubert 3*7f2fe78bSCy SchubertTroubleshooting 4*7f2fe78bSCy Schubert=============== 5*7f2fe78bSCy Schubert 6*7f2fe78bSCy Schubert.. _trace_logging: 7*7f2fe78bSCy Schubert 8*7f2fe78bSCy SchubertTrace logging 9*7f2fe78bSCy Schubert------------- 10*7f2fe78bSCy Schubert 11*7f2fe78bSCy SchubertMost programs using MIT krb5 1.9 or later can be made to provide 12*7f2fe78bSCy Schubertinformation about internal krb5 library operations using trace 13*7f2fe78bSCy Schubertlogging. To enable this, set the **KRB5_TRACE** environment variable 14*7f2fe78bSCy Schubertto a filename before running the program. On many operating systems, 15*7f2fe78bSCy Schubertthe filename ``/dev/stdout`` can be used to send trace logging output 16*7f2fe78bSCy Schubertto standard output. 17*7f2fe78bSCy Schubert 18*7f2fe78bSCy SchubertSome programs do not honor **KRB5_TRACE**, either because they use 19*7f2fe78bSCy Schubertsecure library contexts (this generally applies to setuid programs and 20*7f2fe78bSCy Schubertparts of the login system) or because they take direct control of the 21*7f2fe78bSCy Schuberttrace logging system using the API. 22*7f2fe78bSCy Schubert 23*7f2fe78bSCy SchubertHere is a short example showing trace logging output for an invocation 24*7f2fe78bSCy Schubertof the :ref:`kvno(1)` command:: 25*7f2fe78bSCy Schubert 26*7f2fe78bSCy Schubert shell% env KRB5_TRACE=/dev/stdout kvno krbtgt/KRBTEST.COM 27*7f2fe78bSCy Schubert [9138] 1332348778.823276: Getting credentials user@KRBTEST.COM -> 28*7f2fe78bSCy Schubert krbtgt/KRBTEST.COM@KRBTEST.COM using ccache 29*7f2fe78bSCy Schubert FILE:/me/krb5/build/testdir/ccache 30*7f2fe78bSCy Schubert [9138] 1332348778.823381: Retrieving user@KRBTEST.COM -> 31*7f2fe78bSCy Schubert krbtgt/KRBTEST.COM@KRBTEST.COM from 32*7f2fe78bSCy Schubert FILE:/me/krb5/build/testdir/ccache with result: 0/Unknown code 0 33*7f2fe78bSCy Schubert krbtgt/KRBTEST.COM@KRBTEST.COM: kvno = 1 34*7f2fe78bSCy Schubert 35*7f2fe78bSCy Schubert 36*7f2fe78bSCy SchubertList of errors 37*7f2fe78bSCy Schubert-------------- 38*7f2fe78bSCy Schubert 39*7f2fe78bSCy SchubertFrequently seen errors 40*7f2fe78bSCy Schubert~~~~~~~~~~~~~~~~~~~~~~ 41*7f2fe78bSCy Schubert 42*7f2fe78bSCy Schubert#. :ref:`init_creds_ETYPE_NOSUPP` 43*7f2fe78bSCy Schubert 44*7f2fe78bSCy Schubert#. :ref:`cert_chain_ETYPE_NOSUPP` 45*7f2fe78bSCy Schubert 46*7f2fe78bSCy Schubert#. :ref:`err_cert_chain_cert_expired` 47*7f2fe78bSCy Schubert 48*7f2fe78bSCy Schubert 49*7f2fe78bSCy SchubertErrors seen by admins 50*7f2fe78bSCy Schubert~~~~~~~~~~~~~~~~~~~~~ 51*7f2fe78bSCy Schubert 52*7f2fe78bSCy Schubert.. _prop_failed_start: 53*7f2fe78bSCy Schubert 54*7f2fe78bSCy Schubert#. :ref:`kprop_no_route` 55*7f2fe78bSCy Schubert 56*7f2fe78bSCy Schubert#. :ref:`kprop_con_refused` 57*7f2fe78bSCy Schubert 58*7f2fe78bSCy Schubert#. :ref:`kprop_sendauth_exchange` 59*7f2fe78bSCy Schubert 60*7f2fe78bSCy Schubert.. _prop_failed_end: 61*7f2fe78bSCy Schubert 62*7f2fe78bSCy Schubert----- 63*7f2fe78bSCy Schubert 64*7f2fe78bSCy Schubert.. _init_creds_etype_nosupp: 65*7f2fe78bSCy Schubert 66*7f2fe78bSCy SchubertKDC has no support for encryption type while getting initial credentials 67*7f2fe78bSCy Schubert........................................................................ 68*7f2fe78bSCy Schubert 69*7f2fe78bSCy Schubert.. _cert_chain_etype_nosupp: 70*7f2fe78bSCy Schubert 71*7f2fe78bSCy Schubert 72*7f2fe78bSCy Schubertcredential verification failed: KDC has no support for encryption type 73*7f2fe78bSCy Schubert...................................................................... 74*7f2fe78bSCy Schubert 75*7f2fe78bSCy SchubertThis most commonly happens when trying to use a principal with only 76*7f2fe78bSCy SchubertDES keys, in a release (MIT krb5 1.7 or later) which disables DES by 77*7f2fe78bSCy Schubertdefault. DES encryption is considered weak due to its inadequate key 78*7f2fe78bSCy Schubertsize. If you cannot migrate away from its use, you can re-enable DES 79*7f2fe78bSCy Schubertby adding ``allow_weak_crypto = true`` to the :ref:`libdefaults` 80*7f2fe78bSCy Schubertsection of :ref:`krb5.conf(5)`. 81*7f2fe78bSCy Schubert 82*7f2fe78bSCy Schubert 83*7f2fe78bSCy Schubert.. _err_cert_chain_cert_expired: 84*7f2fe78bSCy Schubert 85*7f2fe78bSCy SchubertCannot create cert chain: certificate has expired 86*7f2fe78bSCy Schubert................................................. 87*7f2fe78bSCy Schubert 88*7f2fe78bSCy SchubertThis error message indicates that PKINIT authentication failed because 89*7f2fe78bSCy Schubertthe client certificate, KDC certificate, or one of the certificates in 90*7f2fe78bSCy Schubertthe signing chain above them has expired. 91*7f2fe78bSCy Schubert 92*7f2fe78bSCy SchubertIf the KDC certificate has expired, this message appears in the KDC 93*7f2fe78bSCy Schubertlog file, and the client will receive a "Preauthentication failed" 94*7f2fe78bSCy Schuberterror. (Prior to release 1.11, the KDC log file message erroneously 95*7f2fe78bSCy Schubertappears as "Out of memory". Prior to release 1.12, the client will 96*7f2fe78bSCy Schubertreceive a "Generic error".) 97*7f2fe78bSCy Schubert 98*7f2fe78bSCy SchubertIf the client or a signing certificate has expired, this message may 99*7f2fe78bSCy Schubertappear in trace_logging_ output from :ref:`kinit(1)` or, starting in 100*7f2fe78bSCy Schubertrelease 1.12, as an error message from kinit or another program which 101*7f2fe78bSCy Schubertgets initial tickets. The error message is more likely to appear 102*7f2fe78bSCy Schubertproperly on the client if the principal entry has no long-term keys. 103*7f2fe78bSCy Schubert 104*7f2fe78bSCy Schubert.. _kprop_no_route: 105*7f2fe78bSCy Schubert 106*7f2fe78bSCy Schubertkprop: No route to host while connecting to server 107*7f2fe78bSCy Schubert.................................................. 108*7f2fe78bSCy Schubert 109*7f2fe78bSCy SchubertMake sure that the hostname of the replica KDC (as given to kprop) is 110*7f2fe78bSCy Schubertcorrect, and that any firewalls between the primary and the replica 111*7f2fe78bSCy Schubertallow a connection on port 754. 112*7f2fe78bSCy Schubert 113*7f2fe78bSCy Schubert.. _kprop_con_refused: 114*7f2fe78bSCy Schubert 115*7f2fe78bSCy Schubertkprop: Connection refused while connecting to server 116*7f2fe78bSCy Schubert.................................................... 117*7f2fe78bSCy Schubert 118*7f2fe78bSCy SchubertIf the replica KDC is intended to run kpropd out of inetd, make sure 119*7f2fe78bSCy Schubertthat inetd is configured to accept krb5_prop connections. inetd may 120*7f2fe78bSCy Schubertneed to be restarted or sent a SIGHUP to recognize the new 121*7f2fe78bSCy Schubertconfiguration. If the replica is intended to run kpropd in standalone 122*7f2fe78bSCy Schubertmode, make sure that it is running. 123*7f2fe78bSCy Schubert 124*7f2fe78bSCy Schubert.. _kprop_sendauth_exchange: 125*7f2fe78bSCy Schubert 126*7f2fe78bSCy Schubertkprop: Server rejected authentication (during sendauth exchange) while authenticating to server 127*7f2fe78bSCy Schubert............................................................................................... 128*7f2fe78bSCy Schubert 129*7f2fe78bSCy SchubertMake sure that: 130*7f2fe78bSCy Schubert 131*7f2fe78bSCy Schubert#. The time is synchronized between the primary and replica KDCs. 132*7f2fe78bSCy Schubert#. The master stash file was copied from the primary to the expected 133*7f2fe78bSCy Schubert location on the replica. 134*7f2fe78bSCy Schubert#. The replica has a keytab file in the default location containing a 135*7f2fe78bSCy Schubert ``host`` principal for the replica's hostname. 136