<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us" xml:lang="en-us"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="security" content="public" /> <meta name="Robots" content="index,follow" /> <meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' /> <meta name="DC.Type" content="task" /> <meta name="DC.Title" content="Troubleshoot Kerberos server in i5/OS PASE" /> <meta name="abstract" content="Troubleshoot Kerberos server in i5/OS PASE by accessing status and informational log files." /> <meta name="description" content="Troubleshoot Kerberos server in i5/OS PASE by accessing status and informational log files." /> <meta name="DC.Relation" scheme="URI" content="rzakhtrouble.htm" /> <meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" /> <meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" /> <meta name="DC.Format" content="XHTML" /> <meta name="DC.Identifier" content="rzakhadvtpase" /> <meta name="DC.Language" content="en-us" /> <!-- All rights reserved. Licensed Materials Property of IBM --> <!-- US Government Users Restricted Rights --> <!-- Use, duplication or disclosure restricted by --> <!-- GSA ADP Schedule Contract with IBM Corp. --> <link rel="stylesheet" type="text/css" href="./ibmdita.css" /> <link rel="stylesheet" type="text/css" href="./ic.css" /> <title>Troubleshoot Kerberos server in i5/OS PASE</title> </head> <body id="rzakhadvtpase"><a name="rzakhadvtpase"><!-- --></a> <!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script> <h1 class="topictitle1">Troubleshoot Kerberos server in i5/OS PASE</h1> <div><p>Troubleshoot Kerberos server in i5/OS™ PASE by accessing status and informational log files.</p> <div class="section">During configuration of a Kerberos server in i5/OS PASE, the authentication server and the administration server are created. These servers write status and informational messages to a log file located in the <span class="filepath">/var/krb5/log</span> directory. This log file, krb5kdc.log contains messages that can help the administrator troubleshoot problems with configuration and authentication requests.</div> <div class="p"><span>Access Kerberos server log files in i5/OS PASE</span> On the iSeries™ server that you have the Kerberos server configured in i5/OS PASE, complete these steps:<ol type="a"><li class="substepexpand"><span>At a character-based interface, type <tt>QP2TERM</tt>. </span> This command opens an interactive shell environment that allows you to work with i5/OS PASE applications.</li> <li class="substepexpand"><span>At the command line, type <tt>cd /var/krb5/log</tt>.</span></li> <li class="substepexpand"><span>At the command line, type <tt>cat /krb5kdc.log</tt>. </span> This will open the krb5kdc.log file that contains error messages for the i5/OS PASE KDC.</li> </ol> </div> <div class="example"><h4 class="sectiontitle">Example krb5kdc.log file</h4>The following sample log contains several messages<pre class="screen">$ AS_REQ (3 etypes {16 3 1}) 10.1.1.2(88): NEEDED_PREAUTH: jday@ISERIESA.MYCO.COM for kadmin/changepw@ISERIESA.MYCO.COM, Additional pre-authentication required Apr 30 14:18:08 iseriesa.myco.com /usr/krb5/sbin/krb5kdc[334](info): AS_REQ (3 etypes {16 3 1}) 10.1.1.2(88): ISSUE: authtime 1051730288, etypes {rep=16 tkt=16 ses=16}, jday@ISERIESA.MYCO.COM for kadmin/changepw@ISERIESA.MYCO.COM Apr 30 14:18:56 iseriesa.myco.com /usr/krb5/sbin/krb5kdc[334](Notice): AS_REQ (3 etypes {16 3 1}) 10.1.1.2(88): NEEDED_PREAUTH: jday@ISERIESA.MYCO.COM for kadmin/changepw@ISERIESA.MYCO.COM, Additional pre-authentication required Apr 30 14:18:56 iseriesa.myco.com /usr/krb5/sbin/krb5kdc[334](info): DISPATCH: replay found and re-transmitted $</pre> </div> </div> <div> <div class="familylinks"> <div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhtrouble.htm" title="This section provides links to troubleshooting information about common problems for network authentication service, Enterprise Identity Mapping (EIM), and IBM-supplied applications that support Kerberos authentication.">Troubleshoot</a></div> </div> </div> </body> </html>