Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i
Troubleshooting
General Errors
Chapter 9 271
General Errors
• Ensure that the Domain Name Server (DNS) is working properly.
Several aspects of Kerberos rely on this name service. It is important
that your DNS entries and your hosts have the correct information.
Each host’s canonical name must be a fully-qualified host name,
including the domain, and each host’s IP address must
reverse-resolve the canonical name.
• Ensure that you remove all trailing spaces in the configuration files.
Trailing spaces can cause problems with the Server. Else, a message
will appear stating, “kdcd cannot start the database for the realm.”
• The kerberos daemons kdcd and kadmind, by default, does not dump
core.
If you, as the administrator, want the kadmind daemon to dump core,
you would need to create a file DEBUG in the directory,
/var/adm/krb5/kadmind/DEBUG, with setuid bit set.
If you need the kdcd daemon to dump core, you would need to create
a file DEBUG in the directory, /var/adm/krb5/kdc/DEBUG, with
setuid bit set.
Forgotten Passwords
If an application user forgets the password, you need to reset the
password. To do this, you must have the correct administrative
permissions: i for Inquire About Principals and c for Change Principal
Passwords.
Using either Administrator or Command-Line-Administrator, change
the password and inform the user of the new temporary password. By
default, the user will be required to change the password on the next
logon.
Locking and Unlocking Accounts
If a user or a service principal exceeds the maximum number of failed
authentication attempts allowed by the password policy file, the account
is locked and the principal will not be issued a ticket. Alternatively, a