Manualshelf

Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
231232233234235236237238239240
Propagation
Monitoring Propagation
Chapter 7232
Number of principals does not match
An authentication test to the primary server succeeds but fails on
the secondary server
Authentication Problems Occur
The out-of-sync condition may first appear as an intermittent
authentication failure. In this scenario, a prinicpal that changes the
password, perhaps after the password expires, is not able to
authenticate, even though the password change is successful. The
principal may continue to attempt authentication, and may even succeed
if the authentication attempt is sent to the primary server. However, if
the principal fails on one server as many times as specified by the
MaxFailAuthCnt parameter in the password policy file, that principal is
locked out.
NOTE HP’s authentication servers do not issue different messages for different
situations that cause authentication failure. For security reasons, the
error message to the user is the same for bad password, bad user, or
locked user.
Failure to authenticate can be caused by a variety of situations, such as
incorrectly typed passwords, locked users, and so on. This situation alone
does not suggest an out-of-sync condition; further clues are needed.
Administration Appears Normal
The next clue is that administration continues to function normally.
Continuing the scenario in which a principal who changed his or her
password fails to authenticate, the principal reports the problem to the
system administrator. The administrator then uses one of the
administration tools to unlock the user, if necessary, and change the
user’s password to some simple value. The administrator then gives the
newest password to the user.
The principal may then fail to authenticate with the newest password
and will report the problem to the administrator. They may repeat the
process, but it will not solve the problem. This is another clue that the
databases are out of sync and propagation has stopped. If the principal is
able to authenticate once, but not again, that is another clue.