How to add Kerberos logging to troubleshoot Active Directory related problems

book

Article ID: 160744

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Is there a way to enable Kerberos logging on Enforce for troubleshooting?

Resolution

The following log levels can be added within the Kerberos module:

 Add to the krb5.ini the following:

[logging]

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log

This will capture the Kerberos logging and tells where to write it to. In above examples it will be written to the designated files. You can also specify syslog servers as reference as in the following example

[logging]

kdc = SYSLOG:info:local1
admin-server = SYSLOG:info:local2
default = SYSLOG:err:auth

See also TECH220609 - Tips on setting up Active Directory Authentication