Common Failures

Warnings

<<things that cause normal log errors>>

Serious Failures

<<things that cause segmentation faults>>

Silent Failures

User mapping failure:

If no user mapping is configured, or the user mapping fails, (i.e., local-login-user extracted using shibboleth-sp), Moonshot will fail silently

IDP TIDS data synchronisation failure:

When the remote Moonshot IDP continues to successfully authenticate the Jisc heartbeat, but consistently fails to authenticate any requests with a 'PSK key not found' failure even after a rekey process, restart TIDS on the remote Moonshot IDP. It is likely that TIDS no longer writes its authorisation keys to the TIDS database (/var/lib/trust_router/keys), which leads to FreeRADIUS not being able to retrieve an appropriate pre-shared key for the TLS tunnel between itself and the RP Proxy of the service provider. Restarting TIDS should restore this.

Failed credential lookup:

When in pure command-line mode and a credential lookup in identities.txt (or in its absence, the file lookup for .gss_eap_id in the initiating user's home directory) fails, a gss-client/gss-server interaction fails like this:

GSS-API error initializing context: Unspecified GSS failure.  Minor code may provide more information
GSS-API error initializing context:

No other information is made available. 

Long delays when attempting a GSSAPI connection

Try the following workaround:

1. Edit /etc/krb5.conf on both ends (particularly on the server end) and insert the following portion if it does not exist:

   [libdefaults]
   rdns = no

2. Save the file and retry the connection.

This option turns off reverse DNS resolution and is a problem in the underlying GSSAPI subsystem. It is not specific to the Moonshot mechanism.