Kerberos v5 Status Codes
Each GSS-API function returns two status codes: a major status code and a minor status code.
Major status codes relate to the behavior of GSS-API. For example, if an
application attempts to transmit a message after a security context has expired, GSS-API returns
a major status code of GSS_S_CONTEXT_EXPIRED. Major status codes are listed in GSS-API Status Codes.
Minor status codes are returned by the underlying security mechanisms supported by a
given implementation of GSS-API. Every GSS-API function takes as the first argument a
minor_status or minor_stat parameter. An application can examine this parameter when the function
returns, successfully or not, to see the status that is returned by the
underlying mechanism.
The following tables list the status messages that can be returned by Kerberos
v5 in the minor_status argument. For more on GSS-API status codes, see GSS-API Status Codes.
Messages Returned in Kerberos v5 for Status Code 1
The following table lists the minor status messages that are returned in Kerberos
v5 for status code 1.
Table B-5 Kerberos v5 Status Codes 1
|
|
|
|---|
KRB5KDC_ERR_NONE |
-1765328384L |
No error |
KRB5KDC_ERR_NAME_EXP |
-1765328383L |
Client's entry in database has expired |
KRB5KDC_ERR_SERVICE_EXP |
-1765328382L |
Server's
entry in database has expired |
KRB5KDC_ERR_BAD_PVNO |
-1765328381L |
Requested protocol version not supported |
KRB5KDC_ERR_C_OLD_MAST_KVNO |
-1765328380L |
Client's key is encrypted
in an old master key |
KRB5KDC_ERR_S_OLD_MAST_KVNO |
-1765328379L |
Server's key is encrypted in an old master
key |
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN |
-1765328378L |
Client not found in Kerberos database |
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN |
-1765328377L |
Server not found in Kerberos database |
KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE |
-1765328376L |
Principal has
multiple entries in Kerberos database |
KRB5KDC_ERR_NULL_KEY |
-1765328375L |
Client or server has a null key |
KRB5KDC_ERR_CANNOT_POSTDATE |
-1765328374L |
Ticket is
ineligible for postdating |
KRB5KDC_ERR_NEVER_VALID |
-1765328373L |
Requested effective lifetime is negative or too short |
KRB5KDC_ERR_POLICY |
-1765328372L |
KDC policy rejects
request |
KRB5KDC_ERR_BADOPTION |
-1765328371L |
KDC can't fulfill requested option |
KRB5KDC_ERR_ETYPE_NOSUPP |
-1765328370L |
KDC has no support for encryption type |
KRB5KDC_ERR_SUMTYPE_NOSUPP |
-1765328369L |
KDC has
no support for checksum type |
KRB5KDC_ERR_PADATA_TYPE_NOSUPP |
-1765328368L |
KDC has no support for padata type |
KRB5KDC_ERR_TRTYPE_NOSUPP |
-1765328367L |
KDC has
no support for transited type |
KRB5KDC_ERR_CLIENT_REVOKED |
-1765328366L |
Client's credentials have been revoked |
KRB5KDC_ERR_SERVICE_REVOKED |
-1765328365L |
Credentials for server have
been revoked |
|
Messages Returned in Kerberos v5 for Status Code 2
The following table lists the minor status messages that are returned in Kerberos
v5 for status code 2.
Table B-6 Kerberos v5 Status Codes 2
|
|
|
|---|
KRB5KDC_ERR_TGT_REVOKED |
-1765328364L |
TGT has been revoked |
KRB5KDC_ERR_CLIENT_NOTYET |
-1765328363L |
Client not yet valid,
try again later |
KRB5KDC_ERR_SERVICE_NOTYET |
-1765328362L |
Server not yet valid, try again later |
KRB5KDC_ERR_KEY_EXP |
-1765328361L |
Password has expired |
KRB5KDC_ERR_PREAUTH_FAILED |
-1765328360L |
Preauthentication failed |
KRB5KDC_ERR_PREAUTH_REQUIRED |
-1765328359L |
Additional
preauthentication required |
KRB5KDC_ERR_SERVER_NOMATCH |
-1765328358L |
Requested server and ticket don't match |
KRB5PLACEHOLD_27 through KRB5PLACEHOLD_30 |
-1765328357L through -1765328354L |
KRB5 error
codes 27 through 30 (reserved) |
KRB5KRB_AP_ERR_BAD_INTEGRITY |
-1765328353L |
Decrypt integrity check failed |
KRB5KRB_AP_ERR_TKT_EXPIRED |
-1765328352L |
Ticket expired |
KRB5KRB_AP_ERR_TKT_NYV |
-1765328351L |
Ticket not yet valid |
KRB5KRB_AP_ERR_REPEAT |
-1765328350L |
Request
is a replay |
KRB5KRB_AP_ERR_NOT_US |
-1765328349L |
The ticket isn't for us |
KRB5KRB_AP_ERR_BADMATCH |
-1765328348L |
Ticket/authenticator do not match |
KRB5KRB_AP_ERR_SKEW |
-1765328347L |
Clock skew too
great |
KRB5KRB_AP_ERR_BADADDR |
-1765328346L |
Incorrect net address |
KRB5KRB_AP_ERR_BADVERSION |
-1765328345L |
Protocol version mismatch |
KRB5KRB_AP_ERR_MSG_TYPE |
-1765328344L |
Invalid message type |
KRB5KRB_AP_ERR_MODIFIED |
-1765328343L |
Message stream modified |
KRB5KRB_AP_ERR_BADORDER |
-1765328342L |
Message out of order |
KRB5KRB_AP_ERR_ILL_CR_TKT |
-1765328341L |
Illegal
cross-realm ticket |
KRB5KRB_AP_ERR_BADKEYVER |
-1765328340L |
Key version is not available |
|
Messages Returned in Kerberos v5 for Status Code 3
The following table lists the minor status messages that are returned in Kerberos
v5 for status code 3.
Table B-7 Kerberos v5 Status Codes 3
|
|
|
|---|
KRB5KRB_AP_ERR_NOKEY |
-1765328339L |
Service key not available |
KRB5KRB_AP_ERR_MUT_FAIL |
-1765328338L |
Mutual authentication failed |
KRB5KRB_AP_ERR_BADDIRECTION |
-1765328337L |
Incorrect message
direction |
KRB5KRB_AP_ERR_METHOD |
-1765328336L |
Alternative authentication method required |
KRB5KRB_AP_ERR_BADSEQ |
-1765328335L |
Incorrect sequence number in message |
KRB5KRB_AP_ERR_INAPP_CKSUM |
-1765328334L |
Inappropriate type of checksum in
message |
KRB5PLACEHOLD_51 throughKRB5PLACEHOLD_59 |
-1765328333L through -1765328325L |
KRB5 error codes 51 through 59 (reserved) |
KRB5KRB_ERR_GENERIC |
-1765328324L |
Generic error |
KRB5KRB_ERR_FIELD_TOOLONG |
-1765328323L |
Field is
too long for this implementation |
KRB5PLACEHOLD_62 through KRB5PLACEHOLD_127 |
-1765328322L through -1765328257L |
KRB5 error codes 62
through 127 (reserved) |
value not returned |
-1765328256L |
For internal use only |
KRB5_LIBOS_BADLOCKFLAG |
-1765328255L |
Invalid flag for file lock mode |
KRB5_LIBOS_CANTREADPWD |
-1765328254L |
Cannot read password |
KRB5_LIBOS_BADPWDMATCH |
-1765328253L |
Password mismatch |
KRB5_LIBOS_PWDINTR |
-1765328252L |
Password read
interrupted |
KRB5_PARSE_ILLCHAR |
-1765328251L |
Illegal character in component name |
KRB5_PARSE_MALFORMED |
-1765328250L |
Malformed representation of principal |
KRB5_CONFIG_CANTOPEN |
-1765328249L |
Can't open/find Kerberos /etc/krb5/krb5 configuration file |
KRB5_CONFIG_BADFORMAT |
-1765328248L |
Improper
format of Kerberos /etc/krb5/krb5 configuration file |
KRB5_CONFIG_NOTENUFSPACE |
-1765328247L |
Insufficient space to return complete information |
KRB5_BADMSGTYPE |
-1765328246L |
Invalid message type
has been specified for encoding |
KRB5_CC_BADNAME |
-1765328245L |
Credential cache name malformed |
|
Messages Returned in Kerberos v5 for Status Code 4
The following table lists the minor status messages that are returned in Kerberos
v5 for status code 4.
Table B-8 Kerberos v5 Status Codes 4
|
|
|
|---|
KRB5_CC_UNKNOWN_TYPE |
-1765328244L |
Unknown credential cache type |
KRB5_CC_NOTFOUND |
-1765328243L |
No matching credential has
been found |
KRB5_CC_END |
-1765328242L |
End of credential cache reached |
KRB5_NO_TKT_SUPPLIED |
-1765328241L |
Request did not supply a ticket |
KRB5KRB_AP_WRONG_PRINC |
-1765328240L |
Wrong principal
in request |
KRB5KRB_AP_ERR_TKT_INVALID |
-1765328239L |
Ticket has invalid flag set |
KRB5_PRINC_NOMATCH |
-1765328238L |
Requested principal and ticket don't match |
KRB5_KDCREP_MODIFIED |
-1765328237L |
KDC reply
did not match expectations |
KRB5_KDCREP_SKEW |
-1765328236L |
Clock skew too great in KDC reply |
KRB5_IN_TKT_REALM_MISMATCH |
-1765328235L |
Client/server realm mismatch
in initial ticket request |
KRB5_PROG_ETYPE_NOSUPP |
-1765328234L |
Program lacks support for encryption type |
KRB5_PROG_KEYTYPE_NOSUPP |
-1765328233L |
Program lacks support for
key type |
KRB5_WRONG_ETYPE |
-1765328232L |
Requested encryption type not used in message |
KRB5_PROG_SUMTYPE_NOSUPP |
-1765328231L |
Program lacks support for checksum
type |
KRB5_REALM_UNKNOWN |
-1765328230L |
Cannot find KDC for requested realm |
KRB5_SERVICE_UNKNOWN |
-1765328229L |
Kerberos service unknown |
KRB5_KDC_UNREACH |
-1765328228L |
Cannot contact any KDC for
requested realm |
KRB5_NO_LOCALNAME |
-1765328227L |
No local name found for principal name |
KRB5_MUTUAL_FAILED |
-1765328226L |
Mutual authentication failed |
KRB5_RC_TYPE_EXISTS |
-1765328225L |
Replay cache type
is already registered |
KRB5_RC_MALLOC |
-1765328224L |
No more memory to allocate in replay cache code |
KRB5_RC_TYPE_NOTFOUND |
-1765328223L |
Replay cache
type is unknown |
|
Messages Returned in Kerberos v5 for Status Code 5
The following table lists the minor status messages that are returned in Kerberos
v5 for status code 5.
Table B-9 Kerberos v5 Status Codes 5
|
|
|
|---|
KRB5_RC_UNKNOWN |
-1765328222L |
Generic unknown RC error |
KRB5_RC_REPLAY |
-1765328221L |
Message is a replay |
KRB5_RC_IO |
-1765328220L |
Replay
I/O operation failed |
KRB5_RC_NOIO |
-1765328219L |
Replay cache type does not support non-volatile storage |
KRB5_RC_PARSE |
-1765328218L |
Replay cache name
parse and format error |
KRB5_RC_IO_EOF |
-1765328217L |
End-of-file on replay cache I/O |
KRB5_RC_IO_MALLOC |
-1765328216L |
No more memory to allocate
in replay cache I/O code |
KRB5_RC_IO_PERM |
-1765328215L |
Permission denied in replay cache code |
KRB5_RC_IO_IO |
-1765328214L |
I/O error in
replay cache i/o code |
KRB5_RC_IO_UNKNOWN |
-1765328213L |
Generic unknown RC/IO error |
KRB5_RC_IO_SPACE |
-1765328212L |
Insufficient system space to store replay
information |
KRB5_TRANS_CANTOPEN |
-1765328211L |
Can't open/find realm translation file |
KRB5_TRANS_BADFORMAT |
-1765328210L |
Improper format of realm translation file |
KRB5_LNAME_CANTOPEN |
-1765328209L |
Can't open or
find lname translation database |
KRB5_LNAME_NOTRANS |
-1765328208L |
No translation is available for requested principal |
KRB5_LNAME_BADFORMAT |
-1765328207L |
Improper format of
translation database entry |
KRB5_CRYPTO_INTERNAL |
-1765328206L |
Cryptosystem internal error |
KRB5_KT_BADNAME |
-1765328205L |
Key table name malformed |
KRB5_KT_UNKNOWN_TYPE |
-1765328204L |
Unknown Key table type |
KRB5_KT_NOTFOUND |
-1765328203L |
Key table
entry not found |
KRB5_KT_END |
-1765328202L |
End of key table reached |
KRB5_KT_NOWRITE |
-1765328201L |
Cannot write to specified key table |
|
Messages Returned in Kerberos v5 for Status Code 6
The following table lists the minor status messages that are returned in Kerberos
v5 for status code 6.
Table B-10 Kerberos v5 Status Codes 6
|
|
|
|---|
KRB5_KT_IOERR |
-1765328200L |
Error writing to key table |
KRB5_NO_TKT_IN_RLM |
-1765328199L |
Cannot find ticket
for requested realm |
KRB5DES_BAD_KEYPAR |
-1765328198L |
DES key has bad parity |
KRB5DES_WEAK_KEY |
-1765328197L |
DES key is a weak key |
KRB5_BAD_ENCTYPE |
-1765328196L |
Bad
encryption type |
KRB5_BAD_KEYSIZE |
-1765328195L |
Key size is incompatible with encryption type |
KRB5_BAD_MSIZE |
-1765328194L |
Message size is incompatible with
encryption type |
KRB5_CC_TYPE_EXISTS |
-1765328193L |
Credentials cache type is already registered |
KRB5_KT_TYPE_EXISTS |
-1765328192L |
Key table type is already registered |
KRB5_CC_IO |
-1765328191L |
Credentials cache I/O operation failed |
KRB5_FCC_PERM |
-1765328190L |
Credentials cache file permissions incorrect |
KRB5_FCC_NOFILE |
-1765328189L |
No credentials cache file
found |
KRB5_FCC_INTERNAL |
-1765328188L |
Internal file credentials cache error |
KRB5_CC_WRITE |
-1765328187L |
Error writing to credentials cache file |
KRB5_CC_NOMEM |
-1765328186L |
No more memory
to allocate in credentials cache code |
KRB5_CC_FORMAT |
-1765328185L |
Bad format in credentials cache |
KRB5_INVALID_FLAGS |
-1765328184L |
Invalid KDC option
combination, which is an internal library error |
KRB5_NO_2ND_TKT |
-1765328183L |
Request missing second ticket |
KRB5_NOCREDS_SUPPLIED |
-1765328182L |
No credentials supplied
to library routine |
KRB5_SENDAUTH_BADAUTHVERS |
-1765328181L |
Bad sendauth version was sent |
KRB5_SENDAUTH_BADAPPLVERS |
-1765328180L |
Bad application version was sent by
sendauth |
KRB5_SENDAUTH_BADRESPONSE |
-1765328179L |
Bad response during sendauth exchange |
KRB5_SENDAUTH_REJECTED |
-1765328178L |
Server rejected authentication during sendauth exchange |
|
Messages Returned in Kerberos v5 for Status Code 7
The following table lists the minor status messages that are returned in Kerberos
v5 for status code 7.
Table B-11 Kerberos v5 Status Codes 7
|
|
|
|---|
KRB5_PREAUTH_BAD_TYPE |
-1765328177L |
Unsupported preauthentication type |
KRB5_PREAUTH_NO_KEY |
-1765328176L |
Required preauthentication key not supplied |
KRB5_PREAUTH_FAILED |
-1765328175L |
Generic
preauthentication failure |
KRB5_RCACHE_BADVNO |
-1765328174L |
Unsupported format version number for replay cache |
KRB5_CCACHE_BADVNO |
-1765328173L |
Unsupported credentials cache format version
number |
KRB5_KEYTAB_BADVNO |
-1765328172L |
Unsupported version number for key table format |
KRB5_PROG_ATYPE_NOSUPP |
-1765328171L |
Program lacks support for address type |
KRB5_RC_REQUIRED |
-1765328170L |
Message
replay detection requires rcache parameter |
KRB5_ERR_BAD_HOSTNAME |
-1765328169L |
Host name cannot be canonicalized |
KRB5_ERR_HOST_REALM_UNKNOWN |
-1765328168L |
Cannot determine realm for
host |
KRB5_SNAME_UNSUPP_NAMETYPE |
-1765328167L |
Conversion to service principal is undefined for name type |
KRB5KRB_AP_ERR_V4_REPLY |
-1765328166L |
Initial Ticket response appears
to be Version 4 error |
KRB5_REALM_CANT_RESOLVE |
-1765328165L |
Cannot resolve KDC for requested realm |
KRB5_TKT_NOT_FORWARDABLE |
-1765328164L |
The requesting ticket
cannot get forwardable tickets |
KRB5_FWD_BAD_PRINCIPAL |
-1765328163L |
Bad principal name while trying to forward credentials |
KRB5_GET_IN_TKT_LOOP |
-1765328162L |
Looping detected
inside krb5_get_in_tkt |
KRB5_CONFIG_NODEFREALM |
-1765328161L |
Configuration file /etc/krb5/krb5.conf does not specify default realm |
KRB5_SAM_UNSUPPORTED |
-1765328160L |
Bad SAM flags in obtain_sam_padata |
KRB5_KT_NAME_TOOLONG |
-1765328159L |
Keytab
name too long |
KRB5_KT_KVNONOTFOUND |
-1765328158L |
Key version number for principal in key table is incorrect |
KRB5_CONF_NOT_CONFIGURED |
-1765328157L |
Kerberos
/etc/krb5/krb5.conf configuration file not configured |
ERROR_TABLE_BASE_krb5 |
-1765328384L |
default |
|
