@node Resolving frequent problems, Acknowledgments, One-Time Passwords, Top @chapter Resolving frequent problems @menu * Problems compiling Kerberos:: * Common error messages:: @end menu @node Problems compiling Kerberos, Common error messages, Resolving frequent problems, Resolving frequent problems @section Problems compiling Kerberos Many compilers require a switch to become ANSI compliant. Since kth-krb is written in ANSI C it is necessary to specify the name of the compiler to be used and the required switch to make it ANSI compliant. This is most easily done when running configure using the @kbd{env} command. For instance to build under HP-UX using the native compiler do: @cartouche @example datan$ env CC="cc -Ae" ./configure @end example @end cartouche In general @kbd{gcc} works. The following combinations have also been verified to successfully compile the distribution: @table @asis @item @samp{HP-UX} @kbd{cc -Ae} @item @samp{Digital UNIX} @kbd{cc -std1} @item @samp{AIX} @kbd{xlc} @item @samp{Solaris 2.x} @kbd{cc} (unbundled one) @item @samp{IRIX} @kbd{cc} @end table @node Common error messages, , Problems compiling Kerberos, Resolving frequent problems @section Common error messages These are some of the more obscure error messages you might encounter: @table @asis @item @samp{Time is out of bounds} The time on your machine differs from the time on either the kerberos server or the machine you are trying to login to. If it isn't obvious that this is the case, remember that all times are compared in UTC. On unix systems you usually can find out what the local time is by doing @code{telnet machine daytime}. This time (again, usually is the keyword) is with correction for time-zone and daylight savings. If you have problem keeping your clocks synchronized, consider using a time keeping system such as NTP (see also the discussion in @ref{Install the client programs}). @item @samp{Ticket issue date too far in the future} The time on the kerberos server is more than five minutes ahead of the time on the server. @item @samp{Can't decode authenticator} This means that there is a mismatch between the service key in the kerberos server and the service key file on the specific machine. Either: @itemize @bullet @item the server couldn't find a service key matching the request @item the service key (or version number) does not match the key the packet was encrypted with @end itemize @item @samp{Incorrect network address} The address in the ticket does not match the address you sent the request from. This happens on systems with more than one network address, either physically or logically. You can list addresses which should be considered equal in @file{/etc/kerberosIV/krb.equiv} on your servers. A note to programmers: a server should not pass @samp{*} as the instance to @samp{krb_rd_req}. It should try to figure out on which interface the request was received, for instance by using @samp{k_getsockinst}. If you change addresses on your computer you invalidate any tickets you might have. The easiest way to fix this is to get new tickets with the new address. @item @samp{Message integrity error} The packet is broken in some way: @itemize @bullet @item the lengths does not match the size of the packet, or @item the checksum does not match the contents of the packet @end itemize @item @samp{Can't send request} There is some problem contacting the kerberos server. Either the server is down, or it is using the wrong port (compare the entries for @samp{kerberos-iv} in @file{/etc/services}). The client might also have failed to guess what kerberos server to talk to (check @file{/etc/kerberosIV/krb.conf} and @file{/etc/kerberosIV/krb.realms}). @item @samp{kerberos: socket: Unable to open socket...} The kerberos server has to open four sockets for each interface. If you have a machine with lots of virtual interfaces, you run the risk of running out of file descriptors. If that happens you will get this error message. @item @samp{ftp: User foo access denied} This usually happens because the user's shell is not listed in @file{/etc/shells}. Note that @kbd{ftpd} checks this file even on systems where the system version does not and there is no @file{/etc/shells}. @item @samp{Generic kerberos error} This is a generic catch-all error message. @end table