[krbdev.mit.edu #8541] Documentation__For administrators

[Karl Secks via RT]

Something about errors and such would be fantastic. I find it very strange that this is not covered.

Take an error such as PROCESS_TGS. I do a search for PROCESS_TGS on your documentation we page and get no hits. There is nothing on errors and what they mean.

In the Admin trouble shooting section we have this
Cannot create cert chain: certificate has expired

This error message indicates that PKINIT authentication failed because the client certificate, KDC certificate, or one of the certificates in the signing chain above them has expired.
If the KDC certificate has expired, this message appears in the KDC log file, and the client will receive a “Preauthentication failed” error. (Prior to release 1.11, the KDC log file message erroneously appears as “Out of memory”. Prior to release 1.12, the client will receive a “Generic error”.)
If the client or a signing certificate has expired, this message may appear in trace_logging <http://web.mit.edu/kerberos/krb5-latest/doc/admin/troubleshoot.html#trace-logging>output from kinit <http://web.mit.edu/kerberos/krb5-latest/doc/user/user_commands/kinit.html#kinit-1> or, starting in release 1.12, as an error message from kinit or another program which gets initial tickets. The error message is more likely to appear properly on the client if the principal entry has no long-term keys.
I have seen the error  “Preauthentication failed” in the KDC log but never on the client side. If I use the search for  “Preauthentication failed” I do not even get a hit from the above text.

Then there is this dead link
Kerberos and LDAP <https://help.ubuntu.com/10.04/serverguide/C/kerberos-ldap.html>

Karl