[Freeipa-users] Logging configuration for ipa server
David Kupka
dkupka at redhat.com
Wed Feb 17 09:14:32 UTC 2016
On 17/02/16 09:36, bahan w wrote:
> Hello !
>
> I send you this mail for a question about the kerberos logs on the ipa
> server.
>
> On the server, there are two configuration files :
> - kdc.conf : for the server
> - krb5.conf : for the client
>
> In both of these files, we can put a logging section.
> In this section, there is 3 parameters :
> - default
> - kdc
> - admin
>
> May I put the same values for both client and server or is it better to put
> different values for the server part ?
>
> BR.
>
> Bahan
>
>
>
Hello Bahan,
looking into krb5.conf man page I don't see any logging section. I think
it should be enough to configure logging on the server (in kdc.conf).
Example:
User tries to perform kinit with nonexistent principal and receives error
$ kinit nonexistent
kinit: Client 'nonexistent at EXAMPLE.TEST' not found in Kerberos database
while getting initial credentials
Then admin can see this event in the kdc log on server:
Feb 17 10:10:35 vm-248.example.test krb5kdc[11350](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.0.2.248: CLIENT_NOT_FOUND:
nonexistent at EXAMPLE.TEST for krbtgt/EXAMPLE.TEST at EXAMPLE.TEST, Client
not found in Kerberos database
--
David Kupka
More information about the Freeipa-users
mailing list