Kerberos configuration problems and solutions
This topic covers some of the possible issues on a server on which Kerberos is configured.
The Kerberos logs are added to the SystemOut.log file of the WebSphere Server, which is available at: WAS_HOME/profiles/KLMProfile/logs/server1/SystemOut.log
The following table lists some possible errors and their solutions.
Error | Solution |
Unspecified GSS failure, minor code may provide more information clock skew too great | Synchronize the time clocks on the Kerberos and GKLM servers. Kerberos typically permits a 5-minute time skew. |
kinit: Keytab contains no suitable keys for db2inst1/gklmserver@EXAMPLE.COM while getting initial credentials | Ensure that the keytab file contains the service principal for Db2®. Use the command:
|
SQL1365N db2start or db2stop failed in processing the plugin "IBMkrb5". Reason code = "10". | Ensure that the Db2 instance owner (db2inst1) has read access to the keytab file. Also, ensure that the keytab file contains the service principal for Db2. |
javax.security.auth.login.FailedLoginException: Login error: com.ibm.security.krb5.KrbException, status code: 6 message: Client/Server not found in Kerberos database | Ensure that the correct client name, which is registered in KDC, is used in the Configure Kerberos Authentication REST Service. Ensure the correct service
principal name is specified in the REST service. On Windows, ensure that the service is correctly associated with the Db2 user in the Active Directory. |