Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

A.5. Kerberos Errors

Kerberos errors frequently become apparent when trying to connect to the realm using kinit or a similar client. For information related to Kerberos, first check the Kerberos manpages, help files, and other resources.


Identity Management has its own command-line tools to use to manage Kerberos policies. Do not use kadmin or kadmin.local to manage IdM Kerberos settings.
There are several places to look for Kerberos error log information:
  • For kinit problems or other Kerberos server problems, look at the KDC log in /var/log/krb5kdc.log.
  • For IdM-specific errors, look in /var/log/httpd/error_log.
The IdM logs, both for the server and for IdM-associated services, are covered in Section 28.1.4, “Checking IdM Server Logs”.

A.5.1. Problems making connections with SSH when using GSS-API

If there are bad reverse DNS entries in the DNS configuration, then it may not be possible to log into IdM resources using SSH. When SSH attempts to connect to a resource using GSS-API as its security method, GSS-API first checks the DNS records. The bad records prevent SSH from locating the resource.
It is possible to disable reverse DNS lookups in the SSH configuration. Rather than using reverse DNS records, SSH passes the given username directly to GSS-API.
To disable reverse DNS lookups with SSH, add or edit the GSSAPITrustDNS directive and set the value to no.
# vim /etc/ssh/ssh_config 

A.5.2. There are problems connecting to an NFS server after changing a keytab

Clients attempting to mount NFS exports rely on the existence of a valid principal and secret key on both the NFS server and the client host. Clients themselves should not have access to the NFS keytab. The ticket for the NFS connection will be given to clients from the KDC.
Failure to export an updated keytab can cause problems that are difficult to isolate. For example, existing service connections may continue to function, but no new connections may be possible.