HP UX Kerberos Data Security Software manual General Errors, Forgotten Passwords

Troubleshooting

General Errors

General Errors

•Ensure that the Domain Name Server (DNS) is working properly. Several aspects of Kerberos rely on this name service. It is important that your DNS entries and your hosts have the correct information. Each host’s canonical name must be a fully-qualified host name, including the domain, and each host’s IP address must reverse-resolve the canonical name.

•Ensure that you remove all trailing spaces in the configuration files. Trailing spaces can cause problems with the Server. Else, a message will appear stating, “kdcd cannot start the database for the realm.”

•The kerberos daemons kdcd and kadmind, by default, does not dump core.

If you, as the administrator, want the kadmind daemon to dump core, you would need to create a file DEBUG in the directory,

/var/adm/krb5/kadmind/DEBUG, with setuid bit set.

If you need the kdcd daemon to dump core, you would need to create a file DEBUG in the directory, /var/adm/krb5/kdc/DEBUG, with setuid bit set.

Forgotten Passwords

If an application user forgets the password, you need to reset the password. To do this, you must have the correct administrative permissions: i for Inquire About Principals and c for Change Principal Passwords.

Using either Administrator or Command-Line-Administrator, change the password and inform the user of the new temporary password. By default, the user will be required to change the password on the next logon.

Locking and Unlocking Accounts

If a user or a service principal exceeds the maximum number of failed authentication attempts allowed by the password policy file, the account is locked and the principal will not be issued a ticket. Alternatively, a