<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Troubleshoot Kerberos server in i5/OS PASE" />
<meta name="abstract" content="Troubleshoot Kerberos server in i5/OS PASE by accessing status and informational log files." />
<meta name="description" content="Troubleshoot Kerberos server in i5/OS PASE by accessing status and informational log files." />
<meta name="DC.Relation" scheme="URI" content="rzakhtrouble.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhadvtpase" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Troubleshoot Kerberos server in i5/OS PASE</title>
</head>
<body id="rzakhadvtpase"><a name="rzakhadvtpase"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Troubleshoot Kerberos server in i5/OS PASE</h1>
<div><p>Troubleshoot Kerberos server in i5/OS™ PASE by accessing status and informational
log files.</p>
<div class="section">During configuration of a Kerberos server in i5/OS PASE, the authentication server and
the administration server are created. These servers write status and informational
messages to a log file located in the <span class="filepath">/var/krb5/log</span> directory.
This log file, krb5kdc.log contains messages that can help the administrator
troubleshoot problems with configuration and authentication requests.</div>
<div class="p"><span>Access Kerberos server log files in i5/OS PASE</span> On the iSeries™ server
that you have the Kerberos server configured in i5/OS PASE, complete these steps:<ol type="a"><li class="substepexpand"><span>At a character-based interface, type <tt>QP2TERM</tt>. </span> This command opens an interactive shell environment that allows you
to work with i5/OS PASE
applications.</li>
<li class="substepexpand"><span>At the command line, type <tt>cd /var/krb5/log</tt>.</span></li>
<li class="substepexpand"><span>At the command line, type <tt>cat /krb5kdc.log</tt>. </span> This will open the krb5kdc.log file that contains error messages for
the i5/OS PASE
KDC.</li>
</ol>
</div>
<div class="example"><h4 class="sectiontitle">Example krb5kdc.log file</h4>The following sample log contains
several messages<pre class="screen">$ 
AS_REQ (3 etypes {16 3 1}) 10.1.1.2(88): NEEDED_PREAUTH: 
jday@ISERIESA.MYCO.COM for kadmin/changepw@ISERIESA.MYCO.COM, 
Additional pre-authentication required

Apr 30 14:18:08 iseriesa.myco.com /usr/krb5/sbin/krb5kdc[334](info): 
AS_REQ (3 etypes {16 3 1}) 10.1.1.2(88): ISSUE: authtime 1051730288, 
etypes {rep=16 tkt=16 ses=16}, jday@ISERIESA.MYCO.COM for 
kadmin/changepw@ISERIESA.MYCO.COM 

Apr 30 14:18:56 iseriesa.myco.com /usr/krb5/sbin/krb5kdc[334](Notice):
AS_REQ (3 etypes {16 3 1}) 10.1.1.2(88): NEEDED_PREAUTH: 
jday@ISERIESA.MYCO.COM for kadmin/changepw@ISERIESA.MYCO.COM, 
Additional pre-authentication required 

Apr 30 14:18:56 iseriesa.myco.com /usr/krb5/sbin/krb5kdc[334](info): 
DISPATCH: replay found and re-transmitted
$</pre>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhtrouble.htm" title="This section provides links to troubleshooting information about common problems for network authentication service, Enterprise Identity Mapping (EIM), and IBM-supplied applications that support Kerberos authentication.">Troubleshoot</a></div>
</div>
</div>
</body>
</html>