5.1 A Quick Decision Tree
So you're
having a problem with your Kerberos installation. The first step to
solving this problem, like debugging any other issue, is to narrow
down the root cause. We'll determine if the problem
falls into three distinct categories, and continue our analysis from
there.
An easy way to categorize an error involving Kerberos authentication
is through what tickets the client can acquire for a service.
Let's look at the three top-level categories:
Client can't get an
initial Ticket Granting Ticket. This is most likely a client-specific problem, especially if logging
in with the user principal and password works on other clients. Of
course, it could also mean that the password entered for the user
principal is incorrect. The most likely culprits include time-synchronization problems and
issues reaching the Kerberos server due to misconfiguration of the
client. It is also possible that the client does not share a
compatible encryption type for the users' secret key
with the KDC. This can happen, for example, when attempting to
interoperate between a Unix client and a Windows domain controller.
By default, Windows domain controllers create user entries with an
RC4-HMAC encryption type, which most Unix Kerberos implementations do
not understand. Newer versions of Heimdal and MIT Kerberos 5 will
support this encryption type. Client has valid TGT but gets error before a service ticket is
acquired. Once again, this is most likely a problem with the client. The usual
suspects in this scenario include Kerberos misconfiguration on the
client, which we'll cover in a subsequent section. Another possibility is that the service principal that the client
requested simply does not exist. Examining the KDC log files is a
good way to determine if the client is reaching the KDC, and if so,
if it is attempting to acquire tickets for a principal that does not
exist, or is in a different realm. Client has valid TGT and service ticket, but reports error on
connection to Kerberized service. There is most likely a problem with the server. At this point, the
client has received a ticket for the service and presented it to the
service for authentication. The most common cause for a failure at
this point is a mismatch in the encryption types or key version
numbers for the Kerberos service between the
service's keytab and the KDC. The KDC may have
issued a ticket with an encryption type that the service did not
understand, or perhaps the service's keytab contains
an incorrect encryption key. The service may not be able to read its
keytab at all; ensure that the service's keytab is
readable by the user the service runs as, and that the appropriate
configuration is in place to point the service to the location of the
keytab. Another possibility is that the server's DNS or
Kerberos configuration file is not configured correctly. Make sure
that the target server's hostname can be correctly
resolved by using diagnostic tools such as ping and nslookup.
General root causes that should be investigated include time
synchronization and correct hostname and DNS settings on all
machines.
Finally—this may seem obvious—it is easy to overlook the
final step: recording the error and the solution that was used to
solve the problem. All too often, especially with some of the more
esoteric errors that Kerberos can produce, administrators experience
an error one day, solve the problem, then experience the same error a
week later, and have to track down the root cause again, only to find
that the solution is vaguely familiar.
 |
