Installation and Maintenance
Some troubleshhooting tools
Helpful for troubleshooting are:
klist on Linux system and Windows workstation:
Shows the tickets acquired for the current account and the SPNs included. If kinit works, but Apache negotiation fails, usually a ticket is issued to the user but the SPN includes is not recognized by Apache. This is often caused by Apache misconfiguration, defective keytab or kvno issues.
kdestroy:
Deletes tickets on Linux machines, Windows equivalent is "klist purge"
tpcdump:
Used wih -A to show packet contents for communication between service and user workstation, so often used like "tcpdump -A -i eth0 host ip-of-user-ws". Usually no direct traffic occurs between Linux and Kerberos as soon as keytables are filled.
kinit:
Used to test ticket requesting from Linux to Kerberos to check communication (Linux simulates client here). "kinit -k -t filename UPN". Make sure to use the same filename as configured in Apache site
wireshark to investigate network traffic for workstation or kerberos
Apache error log:
With loglevel "info" errors in Kerberos appear as "unspecified GSS errors ... (, )", but do not give major or minor error numbers. Set loglevel to debug to see more messages and error codes.