Diagnosis Guide

Error information

On an SP system, it is now possible to have three different authentication methods in place and configured for different SP system partitions and users. Depending on how you have configured your authentication mechanisms and for what purpose, you may find error messages are displayed and the command finishes successfully.

The remote commands try the authentication methods in this order:

1. Kerberos V5 (DCE)
2. Kerberos V4
3. Standard AIX

Therefore, if you have Kerberos V5 and Kerberos V4 in place, and configured only Kerberos V4 with user ids, you will receive errors when the remote commands try Kerberos V5, before they fail and try Kerberos V4.

Note:

If you are using Authorization for AIX Remote Commands="none". See Using secure remote commands instead of AIX rsh and rcp commands.

AIX now supports an environment variable called K5MUTE. When set to 1, this variable allows you to mute error messages from the remote commands when you have more than one authentication mechanism enabled. You can set this variable on a system-wide or process basis. It is recommended, however, that this variable not be set when debugging remote command problems because it can hide important messages.

A useful AIX tool in debugging the krshd daemon is configuring the AIX syslog. You can have error messages from the krshd daemon sent to a log of your choice. You will see messages from other daemons as well. This action must be taken on the target system since that is where krshd runs. In general, Kerberos Version 5 messages (through DCE) have a prefix of "Kerberos".

To use syslog:

1. On the target system:
   1. Create your log file using the touch command. The file must exist before syslog will write to it.
   2. Edit the /etc/syslog.conf file and add the line:

      *.debug  file_name
      

      where file_name is your log file, with the full path name specified.

   3. Refresh the syslog subsystem to start logging, by issuing these command:
      1. stopsrc -s syslogd
      2. startsrc -s syslogd
2. On the source host, issue the command you are trying to debug.
3. On the target host, check your log file for krshd or kerberos errors.

Remember to unconfigure the /etc/syslog.conf file when you are done and to refresh the syslogd daemon.

Messages from the remote commands are translated to the language of the node on which the command is run. Ensure that the SP system is using either the English location or the SP administrative locale, so that the messages are readable.

Underlying authentication mechanisms may have other NLS restrictions. The remote commands display messages received from these mechanisms as is. Consult the necessary documentation for this authentication mechanisms for more information.

Errors from the remote commands are displayed to the user who issued the command. If you use the remote commands in a script, and do not capture error messages, they are lost. In this case, issue the remote command on the command line, in the same manner that the script issued the remote command.

To see all error messages, ensure that the AIX environment variable, K5MUTE, is set to 0.

If you wish to capture errors from the krshd daemon, you must configure syslog to do so.