Initial import of KTH eBones. This has been cleaned up to only include

the "core" Kerberos functionality. The rest of the userland will get their
own changes later.

1 files changed, 156 insertions, 0 deletions

diff --git a/crypto/kerberosIV/doc/problems.texi b/crypto/kerberosIV/doc/problems.texi
new file mode 100644
index 0000000..9e3630e
--- /dev/null
+++ b/crypto/kerberosIV/doc/problems.texi
@@ -0,0 +1,156 @@
+@node Resolving frequent problems, Acknowledgments, One-Time Passwords, Top
+@chapter Resolving frequent problems
+
+@menu
+* Problems compiling Kerberos::  
+* Common error messages::       
+@end menu
+
+@node Problems compiling Kerberos, Common error messages, Resolving frequent problems, Resolving frequent problems
+@section Problems compiling Kerberos
+
+Many compilers require a switch to become ANSI compliant. Since kth-krb
+is written in ANSI C it is necessary to specify the name of the compiler
+to be used and the required switch to make it ANSI compliant. This is
+most easily done when running configure using the @kbd{env} command. For
+instance to build under HP-UX using the native compiler do:
+
+@cartouche
+@example
+datan$ env CC="cc -Ae" ./configure
+@end example
+@end cartouche
+
+In general @kbd{gcc} works. The following combinations have also been
+verified to successfully compile the distribution:
+
+@table @asis
+
+@item @samp{HP-UX}
+@kbd{cc -Ae}
+@item @samp{Digital UNIX}
+@kbd{cc -std1}
+@item @samp{AIX}
+@kbd{xlc}
+@item @samp{Solaris 2.x}
+@kbd{cc} (unbundled one)
+@item @samp{IRIX}
+@kbd{cc}
+
+@end table
+
+@subheading Linux problems
+
+Some systems have lost @file{/usr/include/ndbm.h} which is necessary to
+build kth-krb correctly. There is a @file{ndbm.h.Linux} right next to
+the source distribution.
+
+There has been reports of non-working @file{libdb} on some Linux
+distributions.  If that happens, use the @kbd{--without-berkeley-db}
+when configuring.
+
+@subheading HP-UX problems
+
+The shared library @file{/usr/lib/libndbm.sl} doesn't exist on all
+systems.  To make problems even worse, there is never an archive version
+for static linking either. Therefore, when building ``truly portable''
+binaries first install GNU gdbm or Berkeley DB, and make sure that you
+are linking against that library.
+
+@subheading Cray problems
+
+@kbd{rlogind} won't work on Crays until @code{forkpty()} has been
+ported, in the mean time use @kbd{telnetd}.
+
+@subheading AIX problems
+
+@kbd{gcc} version 2.7.2.1 has a bug which makes it miscompile
+@file{appl/telnet/telnetd/sys_term.c} (and possibily
+@file{appl/bsd/forkpty.c}), if used with too much optimization.
+
+@subheading C2 problems
+
+@cindex C2
+The programs that checks passwords works with @file{passwd}, OTP, and
+Kerberos paswords. This is problem if you use C2 security (or use some
+other password database), that normally keeps passwords in some obscure
+place. If you want to use Kerberos with C2 security you will have to
+think about what kind of changes are necessary. See also the discussion
+about Digital's SIA and C2 security, see @ref{Digital SIA}.
+
+@node Common error messages,  , Problems compiling Kerberos, Resolving frequent problems
+@section Common error messages
+
+These are some of the more obscure error messages you might encounter:
+
+@table @asis
+
+@item @samp{Time is out of bounds}
+
+The time on your machine differs from the time on either the kerberos
+server or the machine you are trying to login to. If it isn't obvious
+that this is the case, remember that all times are compared in UTC.
+
+On unix systems you usually can find out what the local time is by doing
+@code{telnet machine daytime}. This time (again, usually is the keyword)
+is with correction for time-zone and daylight savings.
+
+If you have problem keeping your clocks synchronized, consider using a
+time keeping system such as NTP (see also the discussion in
+@ref{Install the client programs}).
+
+@item @samp{Ticket issue date too far in the future}
+
+The time on the kerberos server is more than five minutes ahead of the
+time on the server.
+
+@item @samp{Can't decode authenticator}
+
+This means that there is a mismatch between the service key in the
+kerberos server and the service key file on the specific machine.
+Either:
+@itemize @bullet
+@item
+the server couldn't find a service key matching the request
+@item
+the service key (or version number) does not match the key the packet
+was encrypted with
+@end itemize
+
+@item @samp{Incorrect network address}
+
+The address in the ticket does not match the address you sent the
+request from. This happens on systems with more than one network
+address, either physically or logically. You can list addresses which
+should be considered equal in @file{/etc/krb.equiv} on your servers. 
+
+A note to programmers: a server should not pass @samp{*} as the instance
+to @samp{krb_rd_req}. It should try to figure out on which interface the
+request was received, for instance by using @samp{k_getsockinst}.
+
+If you change addresses on your computer you invalidate any tickets you
+might have. The easiest way to fix this is to get new tickets with the
+new address.
+
+@item @samp{Message integrity error}
+
+The packet is broken in some way:
+@itemize @bullet
+@item
+the lengths does not match the size of the packet, or
+@item
+the checksum does not match the contents of the packet
+@end itemize
+
+@item @samp{Can't send request}
+There is some problem contacting the kerberos server. Either the server
+is down, or it is using the wrong port (compare the entries for
+@samp{kerberos-iv} in @file{/etc/services}). The client might also have
+failed to guess what kerberos server to talk to (check
+@file{/etc/krb.conf} and @file{/etc/krb.realms}).
+
+@item @samp{Generic kerberos error}
+This is a generic catch-all error message.
+
+@end table
+