@node Resolving frequent problems, Acknowledgments, One-Time Passwords, Top @chapter Resolving frequent problems @menu * Problems compiling Kerberos:: * Common error messages:: @end menu @node Problems compiling Kerberos, Common error messages, Resolving frequent problems, Resolving frequent problems @section Problems compiling Kerberos Many compilers require a switch to become ANSI compliant. Since kth-krb is written in ANSI C it is necessary to specify the name of the compiler to be used and the required switch to make it ANSI compliant. This is most easily done when running configure using the @kbd{env} command. For instance to build under HP-UX using the native compiler do: @cartouche @example datan$ env CC="cc -Ae" ./configure @end example @end cartouche In general @kbd{gcc} works. The following combinations have also been verified to successfully compile the distribution: @table @asis @item @samp{HP-UX} @kbd{cc -Ae} @item @samp{Digital UNIX} @kbd{cc -std1} @item @samp{AIX} @kbd{xlc} @item @samp{Solaris 2.x} @kbd{cc} (unbundled one) @item @samp{IRIX} @kbd{cc} @end table @subheading Linux problems Some systems have lost @file{/usr/include/ndbm.h} which is necessary to build kth-krb correctly. There is a @file{ndbm.h.Linux} right next to the source distribution. There has been reports of non-working @file{libdb} on some Linux distributions. If that happens, use the @kbd{--without-berkeley-db} when configuring. @subheading HP-UX problems The shared library @file{/usr/lib/libndbm.sl} doesn't exist on all systems. To make problems even worse, there is never an archive version for static linking either. Therefore, when building ``truly portable'' binaries first install GNU gdbm or Berkeley DB, and make sure that you are linking against that library. @subheading Cray problems @kbd{rlogind} won't work on Crays until @code{forkpty()} has been ported, in the mean time use @kbd{telnetd}. @subheading AIX problems @kbd{gcc} version 2.7.2.1 has a bug which makes it miscompile @file{appl/telnet/telnetd/sys_term.c} (and possibily @file{appl/bsd/forkpty.c}), if used with too much optimization. @subheading C2 problems @cindex C2 The programs that checks passwords works with @file{passwd}, OTP, and Kerberos paswords. This is problem if you use C2 security (or use some other password database), that normally keeps passwords in some obscure place. If you want to use Kerberos with C2 security you will have to think about what kind of changes are necessary. See also the discussion about Digital's SIA and C2 security, see @ref{Digital SIA}. @node Common error messages, , Problems compiling Kerberos, Resolving frequent problems @section Common error messages These are some of the more obscure error messages you might encounter: @table @asis @item @samp{Time is out of bounds} The time on your machine differs from the time on either the kerberos server or the machine you are trying to login to. If it isn't obvious that this is the case, remember that all times are compared in UTC. On unix systems you usually can find out what the local time is by doing @code{telnet machine daytime}. This time (again, usually is the keyword) is with correction for time-zone and daylight savings. If you have problem keeping your clocks synchronized, consider using a time keeping system such as NTP (see also the discussion in @ref{Install the client programs}). @item @samp{Ticket issue date too far in the future} The time on the kerberos server is more than five minutes ahead of the time on the server. @item @samp{Can't decode authenticator} This means that there is a mismatch between the service key in the kerberos server and the service key file on the specific machine. Either: @itemize @bullet @item the server couldn't find a service key matching the request @item the service key (or version number) does not match the key the packet was encrypted with @end itemize @item @samp{Incorrect network address} The address in the ticket does not match the address you sent the request from. This happens on systems with more than one network address, either physically or logically. You can list addresses which should be considered equal in @file{/etc/krb.equiv} on your servers. A note to programmers: a server should not pass @samp{*} as the instance to @samp{krb_rd_req}. It should try to figure out on which interface the request was received, for instance by using @samp{k_getsockinst}. If you change addresses on your computer you invalidate any tickets you might have. The easiest way to fix this is to get new tickets with the new address. @item @samp{Message integrity error} The packet is broken in some way: @itemize @bullet @item the lengths does not match the size of the packet, or @item the checksum does not match the contents of the packet @end itemize @item @samp{Can't send request} There is some problem contacting the kerberos server. Either the server is down, or it is using the wrong port (compare the entries for @samp{kerberos-iv} in @file{/etc/services}). The client might also have failed to guess what kerberos server to talk to (check @file{/etc/krb.conf} and @file{/etc/krb.realms}). @item @samp{Generic kerberos error} This is a generic catch-all error message. @end table