Provided by: kerberos4kth-kdc_1.2.2-11.3ubuntu4_i386 bug


     kerberos - the kerberos daemon


     kerberos [-mns] [-a max age] [-i address] [-l log] [-p pause] [-P
     portspec] [-r realm] [-c] [database]


     This is the kerberos daemon.


     -a      Set the max age before the database is considered stale.

     -i      Only listen on address.  Normally, the kerberos server listens on
             all addresses of all interfaces.

     -l      Write the log to log

     -m      Run manually and prompt for master key.

     -n      Do not check max age.

     -p      Pause for pause before dying.

     -P      Listen to the ports specified by portspec.  This should be a
             white-space separated list of port specificatios. A port
             specification follows the format: port[/protocol].  The port can
             be either a symbolic port name (from /etc/services), or a number;
             protocol can be either udp, or tcp.  If left out, the KDC will
             listen to both UDP and TCP sockets on the specified port.
             The special string + mean that the default set of ports (TCP and
             UDP on ports 88 and 750) should be included.

     -r      Run as a server for realm realm

     -c      Allow cross-realm operation.  This is a known security hole.  Do
             not enable this unless you understand the consequences and are
             willing to live with them.

     -s      Set slave parameters.  This will enable check to see if data is
             getting too stale relative to the master.

     If no database is given a default datbase will be used, normally


     The server logs several messages in a log file (/var/run/kerberos.log by
     default).  The logging mechanism opens and closes the log file for each
     message, so you can safely rename the log file when the server is

   Operational messages
     These are normal messages that you will see in the log. They might be
     followed by some error message.

     Getting key for REALM
            The server fetched the key for ‘krbtgt.REALM’ for the specific
            realm. You will see this at startup, and for every attempt to use
            cross realm authentication.

     Starting Kerberos for REALM (kvno kvno)
            You will see this also if you start with -m.

     AS REQ name.instance@REALM for sname.sinstance from ip-number
            An initial (password authenticated) request was received.

     APPL REQ name.instance@REALM for sname.sinstance from ip-number
            A tgt-based request for a ticket was made.

   Error messages
     These messages reflects misconfigured clients, invalid requests, or
     possibly attepted attacks.

     UNKNOWN name.instance
            The server received a request with an unknown principal. This is
            most likely because someone typed the wrong name at a login
            prompt. It could also be someone trying to get a list of possible

     Unknown realm REALM from ip-number
            There isn’t a principal for ‘krbtgt.REALM’ in the database.

     Can’t hop realms: REALM1 -> REALM2
            There was a request for a ticket for another realm.  This might be
            because of a misconfigured client.

     Principal not unique name.instance
            There is more than one entry for this principal in the database.
            This is not very good.

     Null key name.instance
            Someone tried to use a principal that for some reason doesn’t have
            a key.

     Incorrect master key version for name.instance : number (should be
            The principal has it’s key encrypted with the wrong master key.

     Principal name.instance expired at date
            The principal’s key has expired.

     krb_rd_req from ip-number: error-message
            The message couldn’t be decoded properly. The error message will
            give you further hints. You will see this if someone is trying to
            use expired tickets.

     Unknown message type: number from ip-number
            The message received was not one that is understood by this

     Can’t authorize password changed based on TGT
            Someone tried to get a ‘changepw.kerberos’ via a tgt exchange.
            This is because of a broken client, or possibly an attack.

     KRB protocol version mismatch (number)
            The server received a request with an unknown version number.

   Fatal error messages
     The following messages indicate problems when starting the server.

     Database unavailable!
            There was some problem reading the database.

     Database currently being updated!
            Someone is currently updating the database (possibly via krop).

     Database out of date!
            The database is older than the maximum age specified.

     Couldn’t get master key.
            The master key file wasn’t found or the file is damaged.

     Can’t verify master key.
            The key in the keyfile doesn’t match the current databse.

     Ticket granting ticket service unknown
            The database doesn’t contain a ‘krbtgt.REALM’ for the local realm.


     kprop(8), kpropd(8)