Troubleshooting Kerberos Related Products

Troubleshooting PAM Kerberos

Troubleshooting PAM Kerberos

The PAM Kerberos module returns debug and error messages that are logged using the syslog utility. Use the appropriate syslog log levels to gather more information about error scenarios.

Debug logging is enabled using the debug option in the /etc/pam.conf file for Kerberos PAM module, as shown in following example:

login auth sufficient /usr/lib/security/libpam_krb5.1 debug

When using the debug option, make sure you designate a log file for debugging by modifying the /etc/syslog.conf file. For example:

*.debug<tab>/var/adm/syslog/pam.log

You can instruct the syslog daemon, /etc/syslogd, to re-read its configuration file by sending it a HANGUP signal as follows:

kill -HUP ‘cat /var/run/syslog.pid

The syslog also contains all the authentication messages for ARPA services such as ftp and telnet. For more information, see the syslogd(1M) manpage.

In addition, the syslog contains PAM error codes from the /usr/include/security/pam_appl.h include file. Table 4-1 provides a list of error codes with the suggested corrective actions.

Table 4-1

Error Codes and Corrective Actions

 

 

 

 

 

Error

PAM Error Code

Meaning

Reason/ Corrective

No.

Actions

 

 

 

 

 

 

1

PAM_SYSTEM_ERR

System error

Generic System Error. See

 

 

 

syslog outputs for specific

 

 

 

information.

 

 

 

 

2

PAM_BUF_ERR

Memory buffer

Ensure that sufficient

 

 

error

system memory is

 

 

 

available for all processes.

 

 

 

 

3

PAM_PERM_DENIED

No permission

Check the

 

 

 

permissions/ACLs.

 

 

 

 

Chapter 4

91