During a recent OMSS project, we found we were having issues with kerberos authentication. We tried the typical things such as turning up logging, etc. However we found that the Access Server logs weren’t showing us everything we needed to see to troubleshoot the issue with kerberos. After some research and experimentation, we found a way to increase the log level just for the kerberos library used by OMSS (Heimdal, http://www.h5l.org/).
First, find the krb5.conf file located at $OMSS_HOME/msas/conf/krb5.conf. Find the following section:
krb5 = STDERR
Replace the krb5 option with the following:
krb5: logging = FILE:/tmp/krb.log
This will output all kerberos related messages to krb.log in the tmp directory. Here’s a quick example of what you’ll find in the file (in this example, we had a DNS resolution issue which prevented OMSS from contacting the domain controller):
2015-02-23T00:01:32 krb5_get_init_creds: loop 1
2015-02-23T00:01:32 KDC send 0 patypes
2015-02-23T00:01:32 Trying to find service kdc for realm EXAMPLE.COM flags 0
2015-02-23T00:01:32 configuration file for realm EXAMPLE.COM found
2015-02-23T00:01:32 trying to communicate with host dc1.example.com in realm EXAMPLE.COM
2015-02-23T00:01:32 Configuration exists for realm EXAMPLE.COM, wont go to DNS
2015-02-23T00:01:32 result of trying to talk to realm EXAMPLE.COM = -1765328228
Once you’ve identified and resolved the issue, be sure to refer the krb5 logging line to its original value.
Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.