Provided by: kerberos4kth-kdc_1.2.2-11.3ubuntu4_i386
kerberos - the kerberos daemon
kerberos [-mns] [-a max age] [-i address] [-l log] [-p pause] [-P
portspec] [-r realm] [-c] [database]
This is the kerberos daemon.
-a Set the max age before the database is considered stale.
-i Only listen on address. Normally, the kerberos server listens on
all addresses of all interfaces.
-l Write the log to log
-m Run manually and prompt for master key.
-n Do not check max age.
-p Pause for pause before dying.
-P Listen to the ports specified by portspec. This should be a
white-space separated list of port specificatios. A port
specification follows the format: port[/protocol]. The port can
be either a symbolic port name (from /etc/services), or a number;
protocol can be either udp, or tcp. If left out, the KDC will
listen to both UDP and TCP sockets on the specified port.
The special string + mean that the default set of ports (TCP and
UDP on ports 88 and 750) should be included.
-r Run as a server for realm realm
-c Allow cross-realm operation. This is a known security hole. Do
not enable this unless you understand the consequences and are
willing to live with them.
-s Set slave parameters. This will enable check to see if data is
getting too stale relative to the master.
If no database is given a default datbase will be used, normally
The server logs several messages in a log file (/var/run/kerberos.log by
default). The logging mechanism opens and closes the log file for each
message, so you can safely rename the log file when the server is
These are normal messages that you will see in the log. They might be
followed by some error message.
Getting key for REALM
The server fetched the key for ‘krbtgt.REALM’ for the specific
realm. You will see this at startup, and for every attempt to use
cross realm authentication.
Starting Kerberos for REALM (kvno kvno)
You will see this also if you start with -m.
AS REQ name.instance@REALM for sname.sinstance from ip-number
An initial (password authenticated) request was received.
APPL REQ name.instance@REALM for sname.sinstance from ip-number
A tgt-based request for a ticket was made.
These messages reflects misconfigured clients, invalid requests, or
possibly attepted attacks.
The server received a request with an unknown principal. This is
most likely because someone typed the wrong name at a login
prompt. It could also be someone trying to get a list of possible
Unknown realm REALM from ip-number
There isn’t a principal for ‘krbtgt.REALM’ in the database.
Can’t hop realms: REALM1 -> REALM2
There was a request for a ticket for another realm. This might be
because of a misconfigured client.
Principal not unique name.instance
There is more than one entry for this principal in the database.
This is not very good.
Null key name.instance
Someone tried to use a principal that for some reason doesn’t have
Incorrect master key version for name.instance : number (should be
The principal has it’s key encrypted with the wrong master key.
Principal name.instance expired at date
The principal’s key has expired.
krb_rd_req from ip-number: error-message
The message couldn’t be decoded properly. The error message will
give you further hints. You will see this if someone is trying to
use expired tickets.
Unknown message type: number from ip-number
The message received was not one that is understood by this
Can’t authorize password changed based on TGT
Someone tried to get a ‘changepw.kerberos’ via a tgt exchange.
This is because of a broken client, or possibly an attack.
KRB protocol version mismatch (number)
The server received a request with an unknown version number.
Fatal error messages
The following messages indicate problems when starting the server.
There was some problem reading the database.
Database currently being updated!
Someone is currently updating the database (possibly via krop).
Database out of date!
The database is older than the maximum age specified.
Couldn’t get master key.
The master key file wasn’t found or the file is damaged.
Can’t verify master key.
The key in the keyfile doesn’t match the current databse.
Ticket granting ticket service unknown
The database doesn’t contain a ‘krbtgt.REALM’ for the local realm.