Move kprop error explanation into Troubleshooting

The plan is to make Troubleshooting section of the documentation a
one-stop-shop place for all error diagnostics, explanations and possible
solutions.  The relocation of kprop error messages descriptions is part of
this consolidation effort.

2 files changed, 77 insertions, 48 deletions

diff --git a/doc/admin/install_kdc.rst b/doc/admin/install_kdc.rst
index 3d6730bcb5..af938993f0 100644
--- a/doc/admin/install_kdc.rst
+++ b/doc/admin/install_kdc.rst
@@ -455,40 +455,13 @@ the krb5kdc daemon automatically at boot time.
 Propagation failed?
 ###################
 
-.. _prop_failed_start:
+You may encounter the following error messages. For a more detailed
+discussion on possible causes and solutions click on the error link
+to be redirected to :ref:`troubleshoot` section.
 
-.. error::
-
-           kprop: No route to host while connecting to server
-
-Make sure that the hostname of the slave (as given to kprop) is
-correct, and that any firewalls between the master and the slave allow
-a connection on port 754.
-
-.. error::
-
-           kprop: Connection refused while connecting to server
-
-If the slave is intended to run kpropd out of inetd, make sure that
-inetd is configured to accept krb5_prop connections.  inetd may need
-to be restarted or sent a SIGHUP to recognize the new configuration.
-If the slave is intended to run kpropd in standalone mode, make sure
-that it is running.
-
-.. error::
-
-           kprop: Server rejected authentication (during sendauth
-           exchange) while authenticating to server
-
-Make sure that:
-
-#. The time is synchronized between the master and slave KDCs.
-#. The master stash file was copied from the master to the expected
-   location on the slave.
-#. The slave has a keytab file in the default location containing a
-   ``host`` principal for the slave's hostname.
-
-.. _prop_failed_end:
+.. include:: ./troubleshoot.rst
+   :start-after:  _prop_failed_start:
+   :end-before: _prop_failed_end:
 
 
 Add Kerberos principals to the database
diff --git a/doc/admin/troubleshoot.rst b/doc/admin/troubleshoot.rst
index 91afd2b47d..0c61493147 100644
--- a/doc/admin/troubleshoot.rst
+++ b/doc/admin/troubleshoot.rst
@@ -1,3 +1,5 @@
+.. _troubleshoot:
+
 Troubleshooting
 ===============
 
@@ -30,18 +32,45 @@ of the :ref:`kvno(1)` command::
         FILE:/me/krb5/build/testdir/ccache with result: 0/Unknown code 0
     krbtgt/KRBTEST.COM@KRBTEST.COM: kvno = 1
 
-List
-----
 
-.. error::
+List of errors
+--------------
+
+Frequently seen errors
+~~~~~~~~~~~~~~~~~~~~~~
+
+#. :ref:`init_creds_ETYPE_NOSUPP`
+
+#. :ref:`cert_chain_ETYPE_NOSUPP`
+
+#. :ref:`err_cert_chain_cert_expired`
+
+
+Errors seen by admins
+~~~~~~~~~~~~~~~~~~~~~
+
+.. _prop_failed_start:
+
+#. :ref:`kprop_no_route`
+
+#. :ref:`kprop_con_refused`
+
+#. :ref:`kprop_sendauth_exchange`
+
+.. _prop_failed_end:
 
-           KDC has no support for encryption type while getting
-           initial credentials
+-----
 
-.. error::
+.. _init_creds_etype_nosupp:
 
-           credential verification failed: KDC has no support for
-           encryption type
+KDC has no support for encryption type while getting initial credentials
+........................................................................
+
+.. _cert_chain_etype_nosupp:
+
+
+credential verification failed: KDC has no support for encryption type
+......................................................................
 
 This most commonly happens when trying to use a principal with only
 DES keys, in a release (MIT krb5 1.7 or later) which disables DES by
@@ -50,11 +79,11 @@ size.  If you cannot migrate away from its use, you can re-enable DES
 by adding ``allow_weak_crypto = true`` to the :ref:`libdefaults`
 section of :ref:`krb5.conf(5)`.
 
-Seen in: clients
 
-.. error::
+.. _err_cert_chain_cert_expired:
 
-    Cannot create cert chain: certificate has expired
+Cannot create cert chain: certificate has expired
+.................................................
 
 This error message indicates that PKINIT authentication failed because
 the client certificate, KDC certificate, or one of the certificates in
@@ -72,8 +101,35 @@ release 1.12, as an error message from kinit or another program which
 gets initial tickets.  The error message is more likely to appear
 properly on the client if the principal entry has no long-term keys.
 
-----
+.. _kprop_no_route:
+
+kprop: No route to host while connecting to server
+..................................................
+
+Make sure that the hostname of the slave (as given to kprop) is
+correct, and that any firewalls between the master and the slave allow
+a connection on port 754.
+
+.. _kprop_con_refused:
+
+kprop: Connection refused while connecting to server
+....................................................
+
+If the slave is intended to run kpropd out of inetd, make sure that
+inetd is configured to accept krb5_prop connections.  inetd may need
+to be restarted or sent a SIGHUP to recognize the new configuration.
+If the slave is intended to run kpropd in standalone mode, make sure
+that it is running.
+
+.. _kprop_sendauth_exchange:
+
+kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
+...............................................................................................
+
+Make sure that:
 
-.. include:: ./install_kdc.rst
-   :start-after:  _prop_failed_start:
-   :end-before: _prop_failed_end:
+#. The time is synchronized between the master and slave KDCs.
+#. The master stash file was copied from the master to the expected
+   location on the slave.
+#. The slave has a keytab file in the default location containing a
+   ``host`` principal for the slave's hostname.