Common Kerberos Error Messages (N-Z)
This section provides an alphabetical list (N-Z) of common error messages for the Kerberos commands, Kerberos daemons, PAM framework, GSS interface, the NFS service, and the Kerberos library.
No credentials cache file found
Cause:Kerberos could not find the credentials cache (/tmp/krb5cc_uid).
Solution:Make sure that the credential file exists and is readable. If it isn't, try performing kinit again.
No credentials were supplied, or the credentials were unavailable or inaccessible
No credential cache found
Cause:The user's credential cache is incorrect or does not exist.
Solution:The user should run kinit before trying to start the service.
No credentials were supplied, or the credentials were unavailable or inaccessible
No principal in keytab matches desired name
Cause:An error occurred while trying to authenticate the server.
Solution:Make sure that the host or service principal is in the server's keytab file.
Operation requires “privilege” privilege
Cause:The admin principal that was being used does not have the appropriate privilege configured in the kadm5.acl file.
Solution:Use a principal that has the appropriate privileges. Or, configure the principal that was being used to have the appropriate privileges by modifying the kadm5.acl file. Usually, a principal with /admin as part of its name has the appropriate privileges.
PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
Cause:The remote application tried to read the host's service principal in the local /etc/krb5/krb5.keytab file, but one does not exist.
Solution:Add the host's service principal to the host's keytab file.
Password is in the password dictionary
Cause:The password that you specified is in a password dictionary that is being used. Your password is not a good choice for a password.
Solution:Choose a password that has a mix of password classes.
Permission denied in replay cache code
Cause:The system's replay cache could not be opened. Your server might have been first run under a user ID different than your current user ID.
Solution:Make sure that the replay cache has the appropriate permissions. The replay cache is stored on the host where the Kerberized server application is running. The replay cache file is called /var/krb5/rcache/rc_service_name_uid for non-root users. For root users the replay cache file is called /var/krb5/rcache/root/rc_service_name.
Protocol version mismatch
Cause:Most likely, a Kerberos V4 request was sent to the KDC. The Kerberos service supports only the Kerberos V5 protocol.
Solution:Make sure that your applications are using the Kerberos V5 protocol.
Request is a replay
Cause:The request has already been sent to this server and processed. The tickets might have been stolen, and someone else is trying to reuse the tickets.
Solution:Wait for a few minutes, and reissue the request.
Requested principal and ticket don't match
Cause:The service principal that you are connecting to and the service ticket that you have do not match.
Solution:Make sure that DNS is functioning properly. If you are using another vendor's software, make sure that the software is using principal names correctly.
Requested protocol version not supported
Cause:Most likely, a Kerberos V4 request was sent to the KDC. The Kerberos service supports only the Kerberos V5 protocol.
Solution:Make sure that your applications are using the Kerberos V5 protocol.
Server refused to negotiate authentication, which is required for encryption. Good bye.
Cause:The remote application is not capable or has been configured not to accept Kerberos authentication from the client.
Solution:Provide a remote application that can negotiate authentication or configure the application to use the appropriate flags to turn on authentication.
Server refused to negotiate encryption. Good bye.
Cause:Encryption could not be negotiated with the server.
Solution:Start authentication debugging by invoking the telnet command with the toggle encdebugcommand and look at the debug messages for further clues.
Server rejected authentication (during sendauth exchange)
Cause:The server that you are trying to communicate with rejected the authentication. Most often, this error occurs during Kerberos database propagation. Some common causes might be problems with the kpropd.acl file, DNS, or the keytab file.
Solution:If you get this error when you are running applications other than kprop, investigate whether the server's keytab file is correct.
The ticket isn't for us
Ticket/authenticator don't match
Cause:There was a mismatch between the ticket and the authenticator. The principal name in the request might not have matched the service principal's name. Either because the ticket was being sent with an FQDN name of the principal while the service expected a non-FQDN name, or a non-FDQN name was sent when the service expected an FQDN name.
Solution:If you get this error when you are running applications other than kprop, investigate whether the server's keytab file is correct.
Ticket expired
Cause:Your ticket times have expired.
Solution:Destroy your tickets with kdestroy, and create new tickets with kinit.
Ticket is ineligible for postdating
Cause:The principal does not allow its tickets to be postdated.
Solution:Modify the principal with kadmin to allow postdating.
Ticket not yet valid
Cause:The postdated ticket is not valid yet.
Solution:Create a new ticket with the correct date, or wait until the current ticket is valid.
Truncated input file detected
Cause:The database dump file that was being used in the operation is not a complete dump file.
Solution:Create the dump file again, or use a different database dump file.
Unable to securely authenticate user ... exit
Cause:Authentication could not be negotiated with the server.
Solution:Start authentication debugging by invoking the telnet command with the toggle authdebug command and look at the debug messages for further clues. Also, make sure that you have valid credentials.
Wrong principal in request
Cause:There was an invalid principal name in the ticket. This error might indicate a DNS or FQDN problem.
Solution:Make sure that the principal of the service matches the principal in the ticket.
- © 2010, Oracle Corporation and/or its affiliates