[Kerberos] Add troubleshooting documentation #32803
Conversation
This commit adds troubleshooting section for Kerberos. Most of the times the problems seen are caused due to invalid configurations like keytab missing principals or credentials not up to date. Time synchronization is important part for Kerberos infrastructure and the time skew can cause problems. To debug further documentation explains how to enable JAAS Kerberos login module debugging and Kerberos/SPNEGO debugging by setting JVM system propertoes.
bizybot
added
review
v7.0.0
:Security/Authentication
|
Pinging @elastic/es-security |
|
Pinging @elastic/es-docs |
bizybot
changed the title
|
|
||
| * User authentication fails due to either GSS negotiation failure | ||
| or a service login failure on the server side or in the {es} HTTP client. Some of | ||
| the common exceptions are listed below with some tips to resolve them. |
There was a problem hiding this comment.
If I'm understanding the first sentence correctly, I think it should be changed to something like this: "User authentication fails due to either a GSS negotiation failure or a service login failure (on the server or the {es} HTTP client)".
There was a problem hiding this comment.
Yes, you are right. Thank you.
|
|
||
| *Resolution:* | ||
|
|
||
| `Failure unspecified at GSS-API level (Mechanism level: Checksum failed)`:: |
There was a problem hiding this comment.
Are these error messages in specific logs or on specific machines in the deployment?
There was a problem hiding this comment.
I have updated with some more information as it can log message on the server side and an error message on the client. Thank you.
| -- | ||
|
|
||
| When this occurs on HTTP client side, it may be related to an incorrect password. | ||
|
|
There was a problem hiding this comment.
Are the subsequent paragraphs related to when this occurs on the server side?
There was a problem hiding this comment.
I have separated this into client and server and yes the subsequent paragraphs are related to server-side except the last one which talks about hostname resolution which is common to both. Thank you.
| + | ||
| -- | ||
|
|
||
| To prevent replay attacks, Kerberos V5 sets maximum tolerance for computer clock |
| -- | ||
|
|
||
| To prevent replay attacks, Kerberos V5 sets maximum tolerance for computer clock | ||
| synchronization and it is usually set to 5 minutes. Check whether the time on |
|
|
||
| For detailed information, see {ref}/security-settings.html#ref-kerberos-settings[Kerberos realm settings]. | ||
|
|
||
| To enable Kerberos logging on JVM, add following JVM system properties: |
There was a problem hiding this comment.
I think this needs some context. Like when and why would you do this. How does it differ from the login module debug log
There was a problem hiding this comment.
I added some context about what does this additional logging provide as in GSS context negotiation logs and Kerberos exchange messages. Thank you.
|
|
||
| Kerberos depends on proper hostname resolution, so please check your DNS infrastructure. | ||
| Incorrect DNS setup, DNS SRV records or configuration for KDC servers in `krb5.conf` | ||
| +can cause problems with hostname resolution. |
There was a problem hiding this comment.
oops, Removed it. Thanks.
|
|
||
| As Kerberos logs are often cryptic in nature and many things can go wrong | ||
| as it depends on external services like DNS, time synchronization. You might | ||
| have to enable additional debug logs to root cause the issue. |
There was a problem hiding this comment.
I don't think "root cause" is a verb 😈
Maybe "... debug logs to determine the root cause of the issue."
There was a problem hiding this comment.
Thank you, Tim. Addressed this.
jaymode
left a comment
jaymode
left a comment
There was a problem hiding this comment.
I left some feedback. After those are addressed, LGTM
| *Symptoms:* | ||
|
|
||
| * User authentication fails due to either GSS negotiation failure | ||
| or a service login failure ( either on the server or in the {es} http client). |
There was a problem hiding this comment.
nit remove space between ( and e
There was a problem hiding this comment.
Thank you, addressed this.
|
|
||
| * User authentication fails due to either GSS negotiation failure | ||
| or a service login failure ( either on the server or in the {es} http client). | ||
| Some of the common exceptions are listed below with some tips to resolve them. |
There was a problem hiding this comment.
s/some tips to resolve/tips to help resolve
There was a problem hiding this comment.
Changed, thank you.
| -- | ||
|
|
||
| As Kerberos logs are often cryptic in nature and many things can go wrong | ||
| as it depends on external services like DNS, time synchronization. You might |
There was a problem hiding this comment.
s/DNS, time synchronization/DNS and NTP.
There was a problem hiding this comment.
Modified this, Thank you.
| as it depends on external services like DNS, time synchronization. You might | ||
| have to enable additional debug logs to determine the root cause of the issue. | ||
|
|
||
| {es} uses JAAS (Java Authentication and Authorization Service) Kerberos login |
There was a problem hiding this comment.
Modified this, Thank you
| For detailed information, see {ref}/security-settings.html#ref-kerberos-settings[Kerberos realm settings]. | ||
|
|
||
| Sometimes you may need to go deeper to understand the problem during SPNEGO | ||
| gss context negotiation or look at the Kerberos message exchange. To enable |
There was a problem hiding this comment.
Modified this, Thank you
This commit adds troubleshooting section for Kerberos. Most of the times the problems seen are caused due to invalid configurations like keytab missing principals or credentials not up to date. Time synchronization is an important part for Kerberos infrastructure and the time skew can cause problems. To debug further documentation explains how to enable JAAS Kerberos login module debugging and Kerberos/SPNEGO debugging by setting JVM system properties.
This commit adds troubleshooting section for Kerberos. Most of the times the problems seen are caused due to invalid configurations like keytab missing principals or credentials not up to date. Time synchronization is an important part for Kerberos infrastructure and the time skew can cause problems. To debug further documentation explains how to enable JAAS Kerberos login module debugging and Kerberos/SPNEGO debugging by setting JVM system properties.
6 participants
This commit adds troubleshooting section for Kerberos.
Most of the times the problems seen are caused due to invalid
configurations like keytab missing principals or credentials
not up to date. Time synchronization is an important part for
Kerberos infrastructure and the time skew can cause problems.
To debug further documentation explains how to enable JAAS
Kerberos login module debugging and Kerberos/SPNEGO debugging
by setting JVM system properties.