This is the
daemon.
Options:
Set the
before the database is considered stale.
Only listen on
Normally, the kerberos server listens on all addresses of all
interfaces.
Write the log to
Run manually and prompt for master key.
Do not check max age.
Pause for
before dying.
Listen to the ports specified by
This should be a white-space separated list of port specificatios. A
port specification follows the format:
The
can be either a symbolic port name (from
or a number;
or
If left out, the KDC will listen to both UDP and TCP sockets on the
specified port.
The special string
mean that the default set of ports (TCP and UDP on ports 88 and 750)
should be included.
Run as a server for realm
Allow cross-realm operation. This is a known security hole. Do not
enable this unless you understand the consequences and are willing to
live with them.
Set slave parameters. This will enable check to see if data is
getting too stale relative to the master.
If no
is given a default datbase will be used, normally
DIAGNOSTICS
The server logs several messages in a log file
by default). The logging mechanism opens and closes the log file for
each message, so you can safely rename the log file when the server is
running.
These are normal messages that you will see in the log. They might be
followed by some error message.
The server fetched the key for
for the specific
realm. You will see this at startup, and for every attempt to use
cross realm authentication.
You will see this also if you start with
An initial (password authenticated) request was received.
A tgt-based request for a ticket was made.
These messages reflects misconfigured clients, invalid requests, or
possibly attepted attacks.
The server received a request with an unknown principal. This is most
likely because someone typed the wrong name at a login prompt. It
could also be someone trying to get a list of possible users.
There isn't a principal for
in the database.
There was a request for a ticket for another realm. This might be
because of a misconfigured client.
There is more than one entry for this principal in the database. This
is not very good.
Someone tried to use a principal that for some reason doesn't have a
key.
The principal has it's key encrypted with the wrong master key.
The principal's key has expired.
The message couldn't be decoded properly. The error message will give
you further hints. You will see this if someone is trying to use
expired tickets.
The message received was not one that is understood by this server.
Someone tried to get a
via a tgt exchange. This is
because of a broken client, or possibly an attack.
The server received a request with an unknown version number.
The following messages indicate problems when starting the server.
There was some problem reading the database.
Someone is currently updating the database (possibly via krop).
The database is older than the maximum age specified.
The master key file wasn't found or the file is damaged.
The key in the keyfile doesn't match the current databse.
The database doesn't contain a
for the local realm.