JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11.1 Administration: Security Services     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information


Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Verifying File Integrity by Using BART (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Using Pluggable Authentication Modules

15.  Using Secure Shell

16.  Secure Shell (Reference)

17.  Using Simple Authentication and Security Layer

18.  Network Services Authentication (Tasks)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

Kerberos Error Messages

SEAM Tool Error Messages

Common Kerberos Error Messages (A-M)

Common Kerberos Error Messages (N-Z)

Kerberos Troubleshooting

How to Identify Problems With Key Version Numbers

Problems With the Format of the krb5.conf File

Problems Propagating the Kerberos Database

Problems Mounting a Kerberized NFS File System

Problems Authenticating as the root User

Observing Mapping From GSS Credentials to UNIX Credentials

Using DTrace With the Kerberos Service

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)



Kerberos Troubleshooting

This section provides troubleshooting information for the Kerberos software.

How to Identify Problems With Key Version Numbers

Sometimes, the key version number (KVNO) used by the KDC and the service principal keys stored in /etc/krb5/krb5.keytab for services hosted on the system do not match. The KVNO can get out of synchronization when a new set of keys are created on the KDC without updating the keytable file with the new keys. This problem can be diagnosed by using the following procedure.

  1. List the keytab entries.

    Note that the KVNO for each principal is included in the list.

    # klist -k 
    Keytab name: FILE:/etc/krb5/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
       2 host/
       2 host/
       2 host/
       2 nfs/
       2 nfs/
       2 nfs/
       2 nfs/
  2. Acquire an initial credential by using the host key.
    # kinit -k
  3. Determine the KVNO that is used by the KDC.
    # kvno nfs/
    nfs/ kvno = 3

    Note that the KVNO listed here is 3 instead of 2.

Problems With the Format of the krb5.conf File

If the krb5.conf file is not formatted properly, then the following error message might be displayed in a terminal window or recorded in the log file:

Improper format of Kerberos configuration file while initializing krb5 library

If there is a problem with the format of the krb5.conf file, then the associated services could be vulnerable to attack. You must fix the problem before you allow Kerberos features to be used.

Problems Propagating the Kerberos Database

If propagating the Kerberos database fails, try /usr/bin/rlogin -x between the slave KDC and master KDC, and from the master KDC to the slave KDC server.

If the KDCs have been set up to restrict access, rlogin is disabled and cannot be used to troubleshoot this problem. To enable rlogin on a KDC, you must enable the eklogin service.

# svcadm enable svc:/network/login:eklogin

After you finish troubleshooting the problem, you need to disable the eklogin service.

If rlogin does not work, problems are likely because of the keytab files on the KDCs. If rlogin does work, the problem is not in the keytab file or the name service, because rlogin and the propagation software use the same host/host-name principal. In this case, make sure that the kpropd.acl file is correct.

Problems Mounting a Kerberized NFS File System

In this example, the setup allows one reference to the different interfaces and a single service principal instead of three service principals in the server's keytab file.

Problems Authenticating as the root User

If authentication fails when you try to become superuser on your system and you have already added the root principal to your host's keytab file, there are two potential problems to check. First, make sure that the root principal in the keytab file has a fully qualified host name as its instance. If it does, check the /etc/resolv.conf file to make sure that the system is correctly set up as a DNS client.

Observing Mapping From GSS Credentials to UNIX Credentials

To be able to monitor the credential mappings, first uncomment this line from the /etc/gss/gsscred.conf file.


Next instruct the gssd service to get information from the /etc/gss/gsscred.conf file.

# pkill -HUP gssd

Now you should be able to monitor the credential mappings as gssd requests them. The mappings are recorded by syslogd, if the syslog.conf file is configured for the auth system facility with the debug severity level.