HP CIFS Server and Kerberos

Chapter 8 Support Tools and Common Problems

Kerberos authentication is difficult to troubleshoot . The default data list for troubleshooting Kerberos

authentication problems is:

 kinit results

 smb.conf

 krb5.conf

 uname -a

 swlist –l product | grep –i krb

 swlist –l product | grep –i ldap

 smbd –V

 Samba log level 10 for client session

o log level = 10

o log file = /var/opt/samba/log.%m

 “net ads join –U username –d 10” join log level 10 (if possible)

o Mainly the last 2 pages with the ticket decryption

 “net ads status –U username” output (mainly the service principals)

 Windows Server version (2000 or 2003)

 Windows client version and Service Pack level

 Wireshark trace

o This is often the most useful tool

8.1 Support Tools

Most of the useful support tools have been demonstrated throughout this paper. Here is a summary.

8.1.1 kinit

The first step in working with CIFS/Samba and Kerberos is to verify that Kerberos itself is working

correctly. An HP-UX kinit must work properly before beginning with CIFS/Samba.

# kinit administrator

Password for administrator@HPATC2000.HP.COM:

# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: administrator@HPATC2000.HP.COM

Valid starting Expires Service principal

03/29/05 10:28:48 03/29/05 20:26:45 krbtgt/HPATC2000.HP.COM@HPATC2000.HP.COM

renew until 03/29/05 20:28:48

A klist will verify that the credentials were loaded into the cache for the KDC service.