[WIP]SLE-20008: troubleshooting krb

xml/security_kerberos.xml

@@ -1914,6 +1914,140 @@ Valid starting     Expires            Service principal
   </procedure>
   </sect1> -->
 
+  <sect1 xml:id="sec-security-kerberos-troubleshooting">
+    <title>Troubleshooting &krb;</title>
+      <para>
+     Troubleshooting &krb; issues can be complex because of its role in secure authentication within a network.
+     Using the <envar>KRB5_TRACE</envar> environment variable helps significantly in troubleshooting.
+     <envar>KRB5_TRACE</envar> provides a detailed log of &krb; operations.
+   </para>
+   <procedure>
+    <title>Using <envar>KRB5_TRACE</envar> to debug &krb; </title>
+    <step>
+     <para>
+    Ensure your &krb; configuration file, which is either <filename>krb5.conf</filename> or <filename>krb5.ini</filename>
+    is correctly set up. This file has all the required settings for your &krb; client and includes realms, KDC and admin servers.
+     </para>
+    </step>
+    <step>
+     <para>
+     Enable <envar>KRB5_TRACE</envar> logging by setting the environment variable to a file where you want the
+     trace logs to be saved. This file will contain detailed information on all the &krb; operations.
+     For example:</para>
+     <screen>&prompt.sudo; export KRB5_TRACE=/path/to/krb5_trace.log</screen>
+    </step>
+    <step>
+     <para>
+Execute the action that triggers the &krb; authentication issue for example, logging into a service.
+The trace log captures the process details.
+     </para>
+    </step>
+    <step>
+        <para>
+   Examine in-depth, the contents of the log file as specified by <envar>KRB5_TRACE</envar>. The log file contains details
+   about &krb; requests,responses and errors. Specifically, look for:
+        </para>
+        <variablelist>
+            <varlistentry>
+             <term>Request and Response Details </term>
+             <listitem>
+              <para>
+               Check if requests are reaching the KDC and responses are being received.
+              </para>
+                   </listitem>
+            </varlistentry>
+            <varlistentry>
+             <term>Error messages</term>
+             <listitem>
+              <para>
+               Evaluate any error messages or codes that indicate something is wrong.
+              </para>
+
+             </listitem>
+            </varlistentry>
+            <varlistentry>
+                <term>Network issues</term>
+                <listitem>
+                 <para>
+                  Check if the KDC is reachable or any network issues.
+                 </para>
+                </listitem>
+               </varlistentry>
+                </variablelist>
+       </step>
+       <step>
+        <para>
+   Examine the common issues such as:
+        </para>
+        <variablelist>
+            <varlistentry>
+             <term>Configuration issues </term>
+             <listitem>
+              <para>
+               Verify that the realms, KDC addresses and other settings are correct in the configuration file.
+              </para>
+                   </listitem>
+            </varlistentry>
+            <varlistentry>
+             <term>Synchronized time</term>
+             <listitem>
+              <para>
+               &krb; is sensitive to time discrepancies so ensure all systems have a synchronized clock.
+              </para>
+
+             </listitem>
+            </varlistentry>
+            <varlistentry>
+                <term>Network issues</term>
+                <listitem>
+                 <para>
+                 Verify that there is stable connection between the client and the KDC.
+                 </para>
+                </listitem>
+               </varlistentry>
+               <varlistentry>
+                <term>DNS issues</term>
+                <listitem>
+                 <para>
+                 Ensure there is a proper DNS resolution for the KDC and other &krb; related services.
+                 </para>
+                </listitem>
+               </varlistentry>
+               <varlistentry>
+                <term>Permission issues</term>
+                <listitem>
+                 <para>
+                Check if the &krb; principal has the right permissions.
+                 </para>
+                </listitem>
+               </varlistentry>
+               <varlistentry>
+                <term>Permission issues</term>
+                <listitem>
+                 <para>
+                Once you make the changes, repeat the action that triggered the issue to ensure the problem is solved.
+                Check the <envar>KRB5_TRACE</envar> log to confirm that the issues no longer exists.
+                 </para>
+                </listitem>
+               </varlistentry>
+               <varlistentry>
+                <term>Permission issues</term>
+                <listitem>
+                 <para>
+                Once the issue is resolved, you can disable <envar>KRB5_TRACE</envar> log:
+                 </para>
+                 <screen>&prompt.sudo; unset KRB5_TRACE</screen>
+                </listitem>
+               </varlistentry>
+                </variablelist>
+       </step>
+   </procedure>
+   <note><para>Machine accounts are subject to the same &krb; authentication as user accounts.
+    During &krb; authentication, clients that run local processes using the <literal>system</literal>
+account, assign these processes to the machine account when accessing remote resources. The machine account
+is associated to the computer name registered with the domain controller and is distinct with a <literal>$</literal>
+sign.</para></note>
+    </sect1>
  <sect1 xml:id="sec-security-kerberos-nfs">
   <title>&krb; and NFS</title>