Filter
Top Products
Propagating the Kerberos Server
Monitoring Propagation
Chapter 9266
attempt is sent to the primary security server. However, if the
principal fails on one server as many times as specified by the
MaxFailAuthCnt parameter in the password policy file, that
principal is locked out.
NOTE HP authentication servers do not issue different messages for
different situations that cause authentication failure. For security
reasons, the error message displayed is the same for bad password,
bad user, or locked user.
Situations such as incorrectly typed password or locked users, which
cause authenticaton failure, are not sufficient to indicate an
out-of-sync condition.
• Administration appears normal
An out-of-sync condition can also occur when the administration
appears to be normal. When a principal that has changed the
password fails to authenticate, the principal reports the problem to
the administrator. The administrator uses one of the administration
tools to unlock the user and change the password of the user to a
simple value. Further, the administrator provides the new password
to the user.
The principal may fail to authenticate with the new password and
reports the problem to the administrator. The problem is not solved
in spite of reporting the problem repeatedly, which can indicate that
the databases are out-of-sync and the propagation has stopped. A
principal unable to authenticate multiple times can also indicate an
out-of-sync problem.
• Log files indicate problems
An indication of the propagation failure in the primary and
secondary security server log files provides a clue to the out-of-sync
problem. If kpropd is not running on the primary security server and
each secondary security server, you can be certain that an out-of-sync
condition exists.
• Mismatch between the number of principals
Both the machines must contain the same number of principals. Few
discrepancies can exist if the database is dumped during a
propagation cycle; only a few principals may differ due to an