Quick Tip: Enhanced Kerberos Auth Logging in OMSS

During a recent OMSS project, we found we were having issues with kerberos authentication. We tried the typical things such as turning up logging, etc. However we found that the Access Server logs weren’t showing us everything we needed to see to troubleshoot the issue with kerberos. After some research and experimentation, we found a way to increase the log level just for the kerberos library used by OMSS (Heimdal, http://www.h5l.org/). 

First, find the krb5.conf file located at $OMSS_HOME/msas/conf/krb5.conf. Find the following section:

 

[logging]

krb5 = STDERR

 

Replace the krb5 option with the following:

krb5: logging = FILE:/tmp/krb.log

 

This will output all kerberos related messages to krb.log in the tmp directory. Here’s a quick example of what you’ll find in the file (in this example, we had a DNS resolution issue which prevented OMSS from contacting the domain controller):  

2015-02-23T00:01:32 krb5_get_init_creds: loop 1

2015-02-23T00:01:32 KDC send 0 patypes

2015-02-23T00:01:32 Trying to find service kdc for realm EXAMPLE.COM flags 0

2015-02-23T00:01:32 configuration file for realm EXAMPLE.COM found

2015-02-23T00:01:32 trying to communicate with host dc1.example.com in realm EXAMPLE.COM

2015-02-23T00:01:32 Configuration exists for realm EXAMPLE.COM, wont go to DNS

2015-02-23T00:01:32 result of trying to talk to realm EXAMPLE.COM = -1765328228

 

Once you’ve identified and resolved the issue, be sure to refer the krb5 logging line to its original value.

Good luck!

 

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.