1.. _troubleshoot: 2 3Troubleshooting 4=============== 5 6.. _trace_logging: 7 8Trace logging 9------------- 10 11Most programs using MIT krb5 1.9 or later can be made to provide 12information about internal krb5 library operations using trace 13logging. To enable this, set the **KRB5_TRACE** environment variable 14to a filename before running the program. On many operating systems, 15the filename ``/dev/stdout`` can be used to send trace logging output 16to standard output. 17 18Some programs do not honor **KRB5_TRACE**, either because they use 19secure library contexts (this generally applies to setuid programs and 20parts of the login system) or because they take direct control of the 21trace logging system using the API. 22 23Here is a short example showing trace logging output for an invocation 24of the :ref:`kvno(1)` command:: 25 26 shell% env KRB5_TRACE=/dev/stdout kvno krbtgt/KRBTEST.COM 27 [9138] 1332348778.823276: Getting credentials user@KRBTEST.COM -> 28 krbtgt/KRBTEST.COM@KRBTEST.COM using ccache 29 FILE:/me/krb5/build/testdir/ccache 30 [9138] 1332348778.823381: Retrieving user@KRBTEST.COM -> 31 krbtgt/KRBTEST.COM@KRBTEST.COM from 32 FILE:/me/krb5/build/testdir/ccache with result: 0/Unknown code 0 33 krbtgt/KRBTEST.COM@KRBTEST.COM: kvno = 1 34 35 36List of errors 37-------------- 38 39Frequently seen errors 40~~~~~~~~~~~~~~~~~~~~~~ 41 42#. :ref:`init_creds_ETYPE_NOSUPP` 43 44#. :ref:`cert_chain_ETYPE_NOSUPP` 45 46#. :ref:`err_cert_chain_cert_expired` 47 48 49Errors seen by admins 50~~~~~~~~~~~~~~~~~~~~~ 51 52.. _prop_failed_start: 53 54#. :ref:`kprop_no_route` 55 56#. :ref:`kprop_con_refused` 57 58#. :ref:`kprop_sendauth_exchange` 59 60.. _prop_failed_end: 61 62----- 63 64.. _init_creds_etype_nosupp: 65 66KDC has no support for encryption type while getting initial credentials 67........................................................................ 68 69.. _cert_chain_etype_nosupp: 70 71 72credential verification failed: KDC has no support for encryption type 73...................................................................... 74 75This most commonly happens when trying to use a principal with only 76DES keys, in a release (MIT krb5 1.7 or later) which disables DES by 77default. DES encryption is considered weak due to its inadequate key 78size. If you cannot migrate away from its use, you can re-enable DES 79by adding ``allow_weak_crypto = true`` to the :ref:`libdefaults` 80section of :ref:`krb5.conf(5)`. 81 82 83.. _err_cert_chain_cert_expired: 84 85Cannot create cert chain: certificate has expired 86................................................. 87 88This error message indicates that PKINIT authentication failed because 89the client certificate, KDC certificate, or one of the certificates in 90the signing chain above them has expired. 91 92If the KDC certificate has expired, this message appears in the KDC 93log file, and the client will receive a "Preauthentication failed" 94error. (Prior to release 1.11, the KDC log file message erroneously 95appears as "Out of memory". Prior to release 1.12, the client will 96receive a "Generic error".) 97 98If the client or a signing certificate has expired, this message may 99appear in trace_logging_ output from :ref:`kinit(1)` or, starting in 100release 1.12, as an error message from kinit or another program which 101gets initial tickets. The error message is more likely to appear 102properly on the client if the principal entry has no long-term keys. 103 104.. _kprop_no_route: 105 106kprop: No route to host while connecting to server 107.................................................. 108 109Make sure that the hostname of the replica KDC (as given to kprop) is 110correct, and that any firewalls between the primary and the replica 111allow a connection on port 754. 112 113.. _kprop_con_refused: 114 115kprop: Connection refused while connecting to server 116.................................................... 117 118If the replica KDC is intended to run kpropd out of inetd, make sure 119that inetd is configured to accept krb5_prop connections. inetd may 120need to be restarted or sent a SIGHUP to recognize the new 121configuration. If the replica is intended to run kpropd in standalone 122mode, make sure that it is running. 123 124.. _kprop_sendauth_exchange: 125 126kprop: Server rejected authentication (during sendauth exchange) while authenticating to server 127............................................................................................... 128 129Make sure that: 130 131#. The time is synchronized between the primary and replica KDCs. 132#. The master stash file was copied from the primary to the expected 133 location on the replica. 134#. The replica has a keytab file in the default location containing a 135 ``host`` principal for the replica's hostname. 136