Diagnosis Guide
Before collecting the information listed here, make sure you have used the
steps described in Diagnostic procedures to verify the correct installation and configuration of
security services on your system. Also, make sure that you have
followed any other steps that apply to the specific error situation.
You should always include the following information:
When errors occur while setting up the security services on your system, or
error occur while initializing trusted services daemons, the following
information may be required:
- PSSP Security Services configuration for DCE:
-
Relevant parts of the /var/adm/SPlogs/auth_install/log file
-
Contents of the spsec_overrides file, if used
-
Output of the dcecp -c account cat command
- Output of the dcecp -c keytab cat command
-
Output of the ls -lR /spdata/sys1/keyfiles command
-
Output of the splstdata -p command
- Output of the splstdata -e command
- Output of the splstdata -n command
- Output of the dcecp -c group list groupname command for
any relevant groups
-
Output of the lsauthpts -v -p sysparname command for each
affected partition
- Output of the lsauthpar -v -p sysparname command for
each affected partition
- Configuration for Kerberos V4 (Compatibility):
- Contents of Kerberos V4 daemon log files. See Kerberos V4 daemon logs.
-
Contents of the /etc/krb.conf file
-
Contents of the /etc/krb.realms file
-
Output of the splstdata -a -G command
-
Output of the netstat -in command on the control workstation
-
Output of the ksrvutil list command
- Output of the splstdata -p command
- Output of the splstdata -e command
When errors indicating that the user could not be authenticated occur while
running trusted services client programs, and you suspect a software problem,
the following information may be required:
-
Using DCE:
-
Error messages displayed by failing commands or SP Perspectives panels
-
Output of the klist command for the client
-
Output of the lsauthpts command
-
Output of the lsauthpar command
-
Output of dcecp commands, showing principal, account, and keytab
information. For command syntax, see IBM DCE for AIX, Version
3.1: Administration Commands Reference.
- Using Kerberos V4 (Compatibility)
- Error messages displayed by failing commands or SP Perspectives panels
-
Output of k4list command
-
Output of the lsauthpts command
-
Output of the lsauthpar command
-
Output of the lskp command, showing client principal and service
principal
- Contents of server log files. See Kerberos V4 daemon logs.
When errors indicating that the user is not authorized to perform a task
occur while running trusted services client programs, but no authentication
error is reported, check first with your security administrator to verify the
user's authorization. If a software problem is suspected, the
following information may be required:
- Using DCE (all trusted services)
-
Error messages displayed by failing commands or SP Perspectives panels
-
Output of the klist command for the client
-
Output of dcecp commands showing membership of relevant access groups
-
Output of dcecp commands showing ACL entries for relevant
objects. For command syntax, see IBM DCE for AIX, Version
3.1: Administration Commands Reference.
- Contents of server log files
- Using Kerberos V4 (Sysctl, Hardware Monitor)
-
Error messages displayed by failing commands or SP Perspectives panels
-
Output of the k4list command for the client
-
Contents of hardmon ACL file, spdata/sys1/spmon/hmacls, if relevant
- Contents of Sysctl ACL files, if relevant. See the chapter "Sysctl"
in PSSP: Administration Guide
-
Contents of modified and added Sysctl configuration files,
etc/sysctl.conf
- Contents of server log files
[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]