SEAM Troubleshooting

This section provides troubleshooting information for the SEAM software.

Problems With the Format of the krb5.conf File

If the krb5.conf file is not formatted properly, the telnet command will fail. However, the dtlogin and login commands will still succeed, even if the krb5.conf file is specified as required for the commands. If this occurs, the following error message is displayed:

Error initializing krb5: Improper format of Kerberos configuration

If there is a problem with the format of the krb5.conf file, you are vulnerable to security breaches. You should fix the problem before allowing SEAM features to be used.

Problems Propagating the Kerberos Database

If propagating the Kerberos database fails, try /usr/krb5/bin/rlogin -x between the slave KDC and master KDC and vice versa.

If the KDCs have been set up to restrict access, rlogin is disabled and cannot be used to troubleshoot this problem. To enable rlogin on a KDC, you must uncomment the eklogin entry in the /etc/inetd.conf file and restart inetd, as follows:

# ps -eaf | grep inetd       displays the process ID of inetd
# kill -1 pid_of_inetd

After you finish troubleshooting the problem, you need to change the inetd.conf file back to its original state and restart inetd again.

If rlogin does not work, problems are likely to be the keytabs on the KDCs. If rlogin does work, the problem is not in the keytab or the name service, since rlogin and the propagation software use the same host/host_name principal. In this case, make sure the kpropd.acl file is correct.

Problems Mounting a Kerberized NFS File System

• If mounting a Kerberized NFS file system fails, make sure the /var/tmp/rc_nfs file exists on the NFS server. If it is not owned by root, remove it and try the mount again.

• If you have a problem accessing a Kerberized NFS file system, make sure there is an entry for gssd in the inetd.conf file on your system and the NFS server.

• If you see either the invalid argument or bad directory error message when trying to access a Kerberized NFS file system, the problem may be that you are not using a fully-qualified DNS name when trying to mount the NFS file system. The host being mounted is not the same as the host name part of the service principal in the server's keytab.

  This may also occur if your server has multiple ethernet interfaces and you have set up DNS to use a "name per interface" scheme instead of a "multiple address records per host" scheme. For SEAM, you should set up multiple address records per host as follows [Ken Hornstein, "Kerberos FAQ," [http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html], accessed 11 December 1998.] :

  my.host.name.   A       1.2.3.4
                  A       1.2.4.4
                  A       1.2.5.4
  
  my-en0.host.name.       A       1.2.3.4
  my-en1.host.name.       A       1.2.4.4
  my-en2.host.name.       A       1.2.5.4
  
  4.3.2.1         PTR     my.host.name.
  4.4.2.1         PTR     my.host.name.
  4.5.2.1         PTR     my.host.name.

In this example, the setup allows one reference to the different interfaces and allows a single service principal instead of three service principals in the server's keytab.

Problems Authenticating as Root

If the authentication fails when you try to become superuser on your system and you have already added the root principal to your host's keytab, there are two potential problems to check. First, make sure the root principal in the keytab has a fully-qualified name as its instance. If it does, check the /etc/resolv.conf file to make sure the system is correctly set up as a DNS client.