Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i

Troubleshooting

General Errors

Chapter 9272

security administrator may have purposefully locked a principal account

so it could temporarily not be used. In each case, the principal remains in

the principal database, but is unable to use Kerberos services.

To unlock a principal account, use either the Administrator or

Command-Line-Administrator.

Using the Administrator:

1. go to the Principal information window - Principals tab.

2. Select the Attributes tab

3. Clear the Lock Principal box

You must have the correct administrative permissions, i for Inquire

About Principals and m for Modify Principals, to lock or unlock an

account.

Using the Command-Line-Administrator:

1. invoke the tool by type the kadmin at the command line prompt

2. use the mod [principal] attr {lock | unlock} command

Clock Synchronization

While client clocks are not required to be closely synchronized with the

security server or application server, we recommend that you do loosely

synchronize all client clocks with the server.

In the event that the client clock is outside the permitted clock skew of

ﬁve minutes, you will see entries in the client systems log ﬁle that

indicate the condition.

To eliminate the warnings, synchronize the client clock with the server to

within ﬁve minutes.

NOTE You must closely synchronize all security server and application server

clocks. We recommend that you implement a secured time service to

ensure that all clocks are synchronized.