Conversation
Firstyear
left a comment
Firstyear
left a comment
There was a problem hiding this comment.
Overall I think there need to be some better examples used here with KRB5_TRACE to actually show a user how it works. Generally clarity of how to use the variable needs to be improved too. Did you actually configure and test this?
| <sect1 xml:id="sec-security-kerberos-troubleshooting"> | ||
| <title>Troubleshooting &krb;</title> | ||
| <para> | ||
| Troubleshooting &krb; issues can be complex because of its role in secure authentication within a network. |
There was a problem hiding this comment.
Troubleshooting kerberos is complex, because kerberos is a dumpster fire of a service.
I don't think we shuold say this, and this line adds no value to the documentation.
| </step> | ||
| <step> | ||
| <para> | ||
| Execute the action that triggers the &krb; authentication issue for example, logging into a service. |
There was a problem hiding this comment.
Where are the examples? How the KRB5_TRACE help? How does it work? These are things that a user will want to know.
Show an example like:
KRB5_TRACE=/dev/stderr kinit username@realm
| <step> | ||
| <para> | ||
| Enable <envar>KRB5_TRACE</envar> logging by setting the environment variable to a file where you want the | ||
| trace logs to be saved. This file will contain detailed information on all the &krb; operations. |
There was a problem hiding this comment.
instead of "krb operations" which doesn't make sense, try "kerberos commands that are executed".
| During &krb; authentication, clients that run local processes using the <literal>system</literal> | ||
| account, assign these processes to the machine account when accessing remote resources. The machine account | ||
| is associated to the computer name registered with the domain controller and is distinct with a <literal>$</literal> | ||
| sign.</para></note> |
There was a problem hiding this comment.
This paragraph is very vague and potentially inaccurate. Machine accounts are no different to a user account. They just are representing that that entity is a machine, instead of a human. There isn't some magic that gives a "service" on the machine credentials either, it's done through keytabs that have extracted principal information.
I'm really not sure what you are trying to communicate in this note.
| <term>Permission issues</term> | ||
| <listitem> | ||
| <para> | ||
| Check if the &krb; principal has the right permissions. |
There was a problem hiding this comment.
krb principals don't have permissions, what does this mean? KRB is authentication, not authorisation.
| <term>DNS issues</term> | ||
| <listitem> | ||
| <para> | ||
| Ensure there is a proper DNS resolution for the KDC and other &krb; related services. |
There was a problem hiding this comment.
grammar, this reads really awkwardly.
|
@Firstyear , its a little complex, would you be willing to give a demo? Meanwhile I will try what you have suggested in the mail.. |
2 participants
PR creator: Description
Describe the overall goals of this pull request.
Document troubleshooting Kerberos Auth
PR creator: Are there any relevant issues/feature requests?
SLE-20008
PR creator: Which product versions do the changes apply to?
When opening a PR, check all versions of the documentation that your PR applies to.
SLE 15/openSUSE Leap 15.x
main, no backport necessary)SLE 12
PR reviewer only: Have all backports been applied?
The doc team member merging your PR will take care of backporting to older documents.
When opening a PR, do not set the following check box.