welcome: please sign in

The following 313 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
added   adding   adjust   administer   after   again   all   an   and   any   are   aren   as   ask   at   attempts   avoid   be   because   before   blocking   but   by   can   case   cat   Category   caused   causes   changed   changes   check   Client   clock   com   command   commands   comment   conf   configuration   configured   conflicts   confusion   Consult   contact   Contents   correlate   Cs   date   day   decided   default   deleuze   details   dev   device   dig   disabled   distribution   distros   djbdns   dns   do   does   doesn   don   dport   drop   easy   edu   effect   enabled   end   entire   error   etc   Examine   example   except   exist   explains   Figure   file   Files   files   filterwin2k   find   firewall   firewalls   fix   flag   Flags   following   For   for   forwardable   framework   Frameworks   fritz   from   further   has   have   hcoop   help   helpful   host   how   http   https   if   If   important   in   In   include   info   Install   instead   instructions   iptables   is   it   its   just   kdc   kerberos   Kerberos   kerberos2   kinit   klist   know   krb5   last   least   letter   libdefaults   Library   like   likely   line   Lines   linux   listinfo   lists   ll   logs   look   lookup   lots   Mac   Make   make   Manual   may   Member   might   mire   mit   modifications   more   name   names   nameserver   necessary   need   Needs   net   netfilter   network   no   not   Of   of   off   offending   on   one   only   open   Open   openwrt   option   options   or   order   org   other   our   out   output   own   packager   packets   page   part   particular   pass   performed   port   Post   post   Preferences   probably   problems   process   product   program   properly   prove   purposes   Put   Query   querying   re   reading   real   realm   record   records   refuse   relationship   reported   requests   resolution   resolv   Resources   Restart   retarded   return   rules   Run   runs   saved   say   security   see   send   server   servers   Setting   ship   should   side   skew   so   Some   Sorry   sport   Step   steps   sure   switch   synced   System   Table   take   that   The   the   their   them   theory   there   these   they   They   this   This   through   ticket   tickets   time   to   To   traceroute   tracert   Transferring   troubleshoot   troubleshooting   true   Try   try   turn   type   typing   udp   unfortunately   Unix   use   used   using   variable   vendors   want   way   we   where   which   will   Windows   with   Work   work   working   would   Wrt   www   You   you   Your   your   zone  

Clear message

MemberManual / ShellAccess / TroubleshootingKerberos

This page explains how to troubleshoot Kerberos problems.


Step 1: turn off your firewall

Make sure any and all firewalls are disabled.

Make sure you can send UDP packets to HCOOP by typing

traceroute kerberos2.hcoop.net

The last line of output should say "kerberos2.hcoop.net" or "fritz.hcoop.net" and have NO ASTERISKS. If this is not the case, fix your firewall or your network.

Step 2: check your krb5.conf

Examine your /etc/krb5.conf (or, on MacOS, your /Library/Preferences/edu.mit.Kerberos and ~/Library/Preferences/edu.mit.Kerberos files if they exist (on 10.4, at least, this is /System/Library/Frameworks/Kerberos.framework/Resources/edu.mit.Kerberos, and the default configuration will not work)).

Make sure that dns_lookup_kdc or dns_lookup_realm options are NOT DISABLED. They should be on-by-default, but just in case your linux distribution packager decided to be retarded and changed that, try adding

  dns_lookup_kdc   = true
  dns_lookup_realm = true

Step 3: make sure your DNS is working

Install the dig program and type

dig -t SRV _kerberos._udp.hcoop.net

You should see kerberosN.hcoop.net in the output (where N is variable).

If you don't see this record, one or more of the DNS servers that you're querying is probably blocking SRV requests. Figure out which name servers you're using by reading the file /etc/resolv.conf (cat /etc/resolv.conf) on your linux host. Query these particular name servers for the record in order to see where modifications might be necessary. You can do this by adding @nameserver.example.com to the end of the command, e.g. dig -t SRV _kerberos._udp.hcoop.net @nameserver.example.com.

You will likely find that one or more name servers you are using does not return a SRV record. If the offending name server is one that you administer, there may be an easy fix. For example, DNSMASQ (no relationship to djbdns) has an option filterwin2k that causes it to drop these records for added security. Some network device vendors (used by OpenWrt and lots of other distros) unfortunately ship their product with this option enabled, so you will need to comment it out (see page https://dev.openwrt.org/ticket/557 for more info). Restart the device or name resolution process on the offending device for the changes to take effect. If the offending name servers that refuse to pass SRV records through aren't your own, you may have to contact the ISP that runs them, or switch to other names servers that are properly configured.

Step 4: make sure your tickets are "forwardable"

Run this command:

klist -f

if you don't see the letter "F" after "Flags:", your tickets are not forwardable. Try kinit again with the -f flag, or adjust your krb5.conf.

Step 5: post to hcoop-help

Post to hcoop-help; make sure to include:

  1. Your entire krb5.conf
  2. The output of all the commands in steps 1, 3, and 4.
  3. The output of "date" on mire.hcoop.net at the time that you performed steps 1 and 3.

The last part is important -- we need to correlate your attempts with the error logs on deleuze, and the only way to do that is by date/time. To avoid confusion caused by time zone or clock skew, we ask that you include the time of day as reported on mire, because we know its clock is synced with deleuze's.

Client side firewall Setting

If you are using a firewall you might want to open it for UDP packets to and from at least one of our KDCs (say, kerberos2.hcoop.net) on port 88. Lines for iptables saved rules might look like the following:

 [0:0] -A INPUT -s -p udp -m udp --sport 88 --dport 1024:65535 -j ACCEPT

 [0:0] -A OUTPUT -d -p udp -m udp --dport 88 --sport 1024:65535 -j ACCEPT

Put them before any rules that conflicts them (and before 'COMMIT' line in the saved rules file).


In theory you would use tracert instead of traceroute, except that the Windows tracert doesn't use UDP packets, so it is not helpful for troubleshooting purposes. Sorry, you'll need to find a "real" traceroute. Consult the OpenAFS and Windows instructions page of our Member Manual for further details that may prove helpful.

CategoryMemberManual CategoryNeedsWork

MemberManual/ShellAccess/TroubleshootingKerberos (last edited 2013-01-13 18:17:02 by ClintonEbadi)