test

Sun Enterprise Authentication Mechanism Guide

SEAM Error Messages

This section provides information about SEAM error messages, including why each error occurred and a way to fix it.

SEAM Administration Tool Error Messages

Error Message

Unable to view the list of principals or policies; use the Name field.
Reason Occurred

The admin principal that you logged on with does not have the list privilege (l) in the Kerberos ACL file (kadm5.acl), so you cannot view the principal or policy lists.

Solution

You must enter the principal and policy names in the Name field to work on them, or log on with a principal that has the appropriate privileges.

Error Message

JNI: Java array creation failed 
JNI: Java class lookup failed 
JNI: Java field lookup failed 
JNI: Java method lookup failed 
JNI: Java object lookup failed 
JNI: Java object field lookup failed 
JNI: Java string access failed 
JNI: Java string creation failed
Reason Occurred

There is a serious problem with the Java Native Interface used by the SEAM Administration Tool (gkadmin).

Solution

Exit gkadmin and restart it; if the problem persists, please report a bug.

Common SEAM Error Messages (A-M)

This section provides an alphabetical list (A-M) of the more common error messages for the SEAM commands, SEAM daemons, PAM framework, GSS interface, and the Kerberos library.

Error Message

major_error minor_error gssapi error importing name
Reason Occurred

An error occurred while importing a service name.

Solution

Make sure the host or ftp service principal is in the host's keytab file.

Error Message

All authentication systems disabled; connection refused
Reason Occurred

This version of rlogind does not support any authentication mechanism.

Solution

Make sure that rlogind is invoked with the -k option. In fact, this should be the default specified in the inetd.conf file.

Error Message

Another authentication mechanism must be used to access this host
Reason Occurred

Authentication could not be done.

Solution

Make sure the client is using Kerberos V5 for authentication.

Error Message

Authentication negotiation has failed, which is required for encryption. Good bye.
Reason Occurred

Authentication could not be negotiated with the server.

Solution

Start authentication debugging by invoking the telnet command toggle authdebug and look at the debug messages for further clues. Also, make sure you have valid credentials.

Error Message

Bad krb5 admin server hostname while initializing kadmin interface
Reason Occurred

An invalid host name is configured for the admin server (master KDC) in the krb5.conf file.

Solution

Make sure the correct host name is specified in the krb5.conf file for the admin server (master KDC).

Error Message

Cannot contact any KDC for requested realm
Reason Occurred

No KDC responded in the requested realm.

Solution

Make sure at least one KDC (either the master or slave) is reachable or that the krb5kdc daemon is running on the KDCs. Look in /etc/krb5/krb5.conf for the list of configured KDCs (kdc = kdc_name).

Error Message

Cannot determine realm for host
Reason Occurred

Kerberos cannot determine the realm name for the host.

Solution

Make sure there is a default realm name or the domain name mappings are set up in the Kerberos configuration file (krb5.conf) .

Error Message

Cannot encrypt-write network
Reason Occurred

Problem occurred in encrypting data.

Solution

Check for other possible problems in the system. Examine other syslog messages for further clues.

Error Message

Cannot find KDC for requested realm
Reason Occurred

No KDC was found in the requested realm.

Solution

Make sure the Kerberos configuration file (krb5.conf) specifies a KDC in the realm section.

Error Message

cannot initialize realm realm_name
Reason Occurred

The KDC may not have a stash file.

Solution

Make sure the KDC has a stash file. If not, create one using the kdb5_util(1M) command and try running krb5kdc again (/etc/init.d/kdc).

Error Message

Cannot resolve KDC for requested realm
Reason Occurred

Kerberos cannot determine any KDC for the realm.

Solution

Make sure the Kerberos configuration file (krb5.conf) specifies a KDC in the realm section.

Error Message

Cannot reuse password
Reason Occurred

The password you entered has been used before by this principal.

Solution

Choose a password that has not been chosen before, at least not within the number of passwords kept in the KDC database for each principal (this is enforced by the principal's policy).

Error Message

Can't get forwarded credentials
Reason Occurred

Credential forwarding could not be established.

Solution

Make sure the principal has forwardable credentials.

Error Message

Can't open/find Kerberos configuration file
Reason Occurred

The Kerberos configuration file (krb5.conf) was not available.

Solution

Make sure the krb5.conf file is available in the correct location and has the correct permissions (it should be writable by root and readable by everyone else).

Error Message

Client did not supply required checksum--connection rejected
Reason Occurred

Authentication with checksum was not negotiated with the client. The client may be using an old Kerberos V5 protocol that does not support initial connection support.

Solution

Make sure the client is using a Kerberos V5 protocol that supports initial connection support.

Error Message

Client/server realm mismatch in initial ticket request
Reason Occurred

A realm mismatch between the client and server occured in the initial ticket request.

Solution

Make sure the server you are communicating with is in the same realm as the client or that the realm configurations are correct.

Error Message

Client or server has a null key
Reason Occurred

The principal has a null key.

Solution

Modify the principal to have a non-null key by using the cpw command of kadmin(1M).

Error Message

Communication failure with server while initializing kadmin interface
Reason Occurred

The host entered for the admin server (master KDC) did not have kadmind running.

Solution

Make sure you specified the correct host name for the master KDC. If you specified the correct host name, make sure that kadmind is running on the master KDC you specified.

Error Message

Configuration error: Requiring checksums with -c is inconsistent
with allowing Kerberos V4 connections
Reason Occurred

Authentication with checksum was not negotiated with the client. The client might be using an old Kerberos V5 protocol that does not support initial connection support.

Solution

Make sure the client is using a Kerberos V5 protocol that supports initial connection support.

Error Message

Credentials cache file permissions incorrect
Reason Occurred

You do not have the appropriate read or write permissions on the credentials cache (/tmp/krb5cc_uid).

Solution

Make sure you have read and write permissions on the credentials cache.

Error Message

Credentials cache I/O operation failed XXX
Reason Occurred

Kerberos had a problem writing to the system's credentials cache (/tmp/krb5cc_uid).

Solution

Make sure the credentials cache has not been removed and there is space left on the device by using the df command.

Error Message

Decrypt integrity check failed
Reason Occurred

You might have an invalid ticket.

Solution

  1. Make sure your credentials are valid. Destroy your tickets with kdestroy and create new tickets with kinit.

  2. Make sure the target host has a keytab with the correct version of the service key. Use kadmin(1M) to view the key version number of the service principal (for example, host/FQDN_hostname) in the Kerberos database and use klist -k on the target host to make sure it has the same key version number.

Error Message

des_read retry count exceeded
Reason Occurred

An error repeatedly occurred while reading data.

Solution

Check for other possible problems in the system. Examine other syslog messages for further clues.

Error Message

df: cannot statvfs filesystem: Invalid argument
Reason Occurred

The df command cannot access the Kerberized NFS file system, which is currently mounted, to generate its report, because you no longer have the appropriate root credentials. Destroying your credentials for a mounted Kerberized file system does not automatically unmount the file system.

Solution

You must create new root credentials to access the Kerberized file system. If you no longer require access to the Kerberized file system, unmount the file system.

Error Message

Encryption could not be enabled. Goodbye.
Reason Occurred

Encryption could not be negotiated with the server.

Solution

Start authentication debugging by invoking the telnet command toggle encdebug and look at the debug messages for further clues.

Error Message

Encryption was not successfully negotiated. Goodbye.
Reason Occurred

Encryption could not be negotiated.

Solution

Check for error messages in the KDC logging file.

Error Message

End of credential cache reached
Reason Occurred

An error occurred while reading the credentials cache (/tmp/krb5cc_uid).

Solution

Make sure the credentials cache is readable and contains data.

Error Message

failed to obtain credentials cache
Reason Occurred

During kadmin initialization, a failure occurred when kadmin tried to obtain credentials for the admin principal.

Solution

Make sure you used the correct principal and/or password when executing kadmin.

Error Message

Field is too long for this implementation
Reason Occurred

The message size being sent by a Kerberized application was too long. The maximum message size that can be handled by Kerberos is 65535 bytes. In addition, there are limits on individual fields within a protocol message sent by Kerberos.

Solution

Make sure that your Kerberized applications are sending valid message sizes.

Error Message

GSS-API (or Kerberos) error
Reason Occurred

This is a generic GSS-API or Kerberos error message and can be caused by several different problems.

Solution

Look at the /etc/krb5/kdc.log file to find the more specific GSS-API error message that was logged when this error occurred.

Error Message

Hostname cannot be canonicalized
Reason Occurred

Kerberos cannot make the host name fully qualified.

Solution

Make sure the host name is in DNS and the host-name-to-address and address-to-host-name mappings are consistent.

Error Message

Illegal cross-realm ticket
Reason Occurred

The ticket sent did not have the correct cross-realms. The realms may not have the correct trust relationships set up.

Solution

Make sure the realms you are using have the correct trust relationships.

Error Message

Improper format of Kerberos configuration file
Reason Occurred

The Kerberos configuration file (krb5.conf) has invalid entries.

Solution

Make sure all the relations in the krb5.conf file are followed by the "=" sign and a value, and verify that the brackets are present in pairs for each subsection.

Error Message

Inappropriate type of checksum in message
Reason Occurred

The message contained an invalid checksum type.

Solution

Check which valid checksum types are specified in the krb5.conf and kdc.conf files.

Error Message

Incorrect net address
Reason Occurred

There was a mismatch in the network address. The network address in the ticket being forwarded was different from the network address where the ticket was processed. This may occur when forwarding tickets.

Solution

Make sure the network addresses are correct; destroy your tickets with kdestroy, and create new tickets with kinit.

Error Message

Invalid flag for file lock mode
Reason Occurred

An internal Kerberos error occurred.

Solution

Please report a bug.

Error Message

Invalid message type specified for encoding
Reason Occurred

Kerberos could not recognize the message type sent by the Kerberized application.

Solution

If you are using a Kerberized application developed by your site or a vendor, make sure it is using Kerberos correctly.

Error Message

Invalid number of character classes
Reason Occurred

The password you entered for the principal does not contain enough password classes, as enforced by the principal's policy.

Solution

Make sure you enter a password with the minimum number of password classes that the policy requires.

Error Message

KADM err: Memory allocation failure
Reason Occurred

There is not enough memory to run kadmin.

Solution

Free up memory and try running kadmin again.

Error Message

KDC can't fulfill requested option
Reason Occurred

The KDC did not allow the requested option. A possible problem may be that postdating or forwardable options were being requested and the KDC did not allow it. Another problem may be that you requested the renewal of a TGT but you didn't have a renewable TGT.

Solution

Determine if you are requesting an option that either the KDC does not allow or if you are requesting something you don't have.

Error Message

KDC policy rejects request
Reason Occurred

The KDC policy did not allow the request. For example, the request to the KDC did not have an IP address in its request, or forwarding was requested but the KDC did not allow it.

Solution

Make sure you are using kinit with the correct options. If necessary, modify the policy associated with the principal or change the principal's attributes to allow the request. You can modify the policy or principal by using kadmin(1M).

Error Message

KDC reply did not match expectations
Reason Occurred

The KDC reply did not contain the expected principal name, or other values in the response were incorrect.

Solution

Make sure the KDC you are communicating with complies with RFC1510, the request you are sending is a Kerberos V5 request, or that the KDC is available.

Error Message

Kerberos V5 refuses authentication
Reason Occurred

Authentication could not be negotiated with the server.

Solution

Start authentication debugging by invoking the telnet command toggle authdebug and look at the debug messages for further clues. Also, make sure you have valid credentials.

Error Message

Key table entry not found
Reason Occurred

There is no entry for the service principal in the network application server's keytab.

Solution

Add the appropriate service principal to the server's keytab so it can provide the Kerberized service.

Error Message

Key version number for principal in key table is incorrect
Reason Occurred

A principal's key version is different in the keytab and in the Kerberos database. Either a service's key has been changed or you may be using an old service ticket.

Solution

If a service's key has been changed (for example, by using kadmin) , you need to extract the new key and store it in the host's keytab where the service is running.

Alternately, you may be using an old service ticket that has an older key. You may want to do a kdestroy and then a kinit again.

Error Message

login: load_modules: can not open module /usr/lib/security/pam_krb5.so.1
Reason Occurred

Either the Kerberos PAM module is missing or it is not a valid executable binary.

Solution

Make sure the Kerberos PAM module is in /usr/lib/security and it is a valid executable binary. Also, make sure /etc/pam.conf contains the correct path to pam_krb5.so.1.

Error Message

Looping detected inside krb5_get_in_tkt
Reason Occurred

Kerberos made several attempts to get the initial tickets but failed.

Solution

Make sure at least one KDC is responding to authentication requests.

Error Message

Master key does not match database
Reason Occurred

The loaded database dump was not created from a database containing the master key, which is located in /var/krb5/.k5.REALM.

Solution

Make sure the master key in the loaded database dump matches the master key located in /var/krb5/.k5.REALM.

Error Message

Matching credential not found
Reason Occurred

The matching credential for request was not found. Your request requires credentials that are not available in the credentials cache.

Solution

Destroy your tickets with kdestroy and create new tickets with kinit.

Error Message

Message out of order
Reason Occurred

Messages sent using sequential-order privacy arrived out of order. Some messages may have been lost in transit.

Solution

You should re-initialize the Kerberos session.

Error Message

Message stream modified
Reason Occurred

There was a mismatch between the computed checksum and message checksum. The message may have been modified while in transit, which may indicate a security leak.

Solution

Make sure that the messages are being sent across the network correctly. Since this message may also indicate possible tampering of messages while they are being sent, destroy your tickets using kdestroy and reinitialize the Kerberos services you are using.

Common SEAM Error Messages (N-Z)

This section provides an alphabetical list (N-Z) of the more common error messages for the SEAM commands, SEAM daemons, PAM framework, and the Kerberos library.

Error Message

No authentication systems were enabled; all connections will be refused
Reason Occurred

This version of rlogind does not support any authentication mechanism.

Solution

Make sure that rlogind is invoked with the -k option. In fact, this should be the default specified in the inetd.conf file.

Error Message

No credentials cache file found
Reason Occurred

Kerberos could not find the credentials cache (/tmp/krb5cc_uid).

Solution

Make sure the credential file exists and is readable. If it isn't, try performing a kinit again.

Error Message

Operation requires "privilege" privilege
Reason Occurred

The admin principal being used does not have the appropriate privilege configured in the kadm5.acl file.

Solution

Use a principal that has the appropriate privileges or configure the principal being used to have the appropriate privileges by modifying the kadm5.acl file. Usually, a principal with "/admin" as part of its name has the appropriate privileges.

Error Message

PAM-KRB5: Kerberos V5  authentication failed: password incorrect
Reason Occurred

Your UNIX password and Kerberos passwords are different. Most non-Kerberized commands, such as login, are set up through PAM to automatically authenticate with Kerberos by using the same password that you specified for your UNIX password. If your passwords are different, the Kerberos authentication fails.

Solution

You must enter your Kerberos password when prompted.

Error Message

Password is in the password dictionary
Reason Occurred

The password that you entered is in a password dictionary that is being used. It is not a good choice for a password.

Solution

Choose a password that has a mix of password classes.

Error Message

Permission denied in replay cache code
Reason Occurred

The system's replay cache could not be opened. The server may have been first run under a user ID different than your current user ID.

Solution

Make sure the replay cache has the appropriate permissions. The replay cache is stored on the host where the Kerberized server application is running (/usr/tmp/rc_service_name). Instead of changing the permissions on the current replay cache, you can also remove the replay cache before running the Kerberized server under a different user ID.

Error Message

Protocol version mismatch
Reason Occurred

Most likely a Kerberos V4 request was sent to the KDC. SEAM supports only the Kerberos V5 protocol.

Solution

Make sure your applications are using the Kerberos V5 protocol.

Error Message

Request is a replay
Reason Occurred

The request has already been sent to this server and processed. The tickets may have been stolen and someone else is trying to reuse the tickets.

Solution

Wait for a few minutes and re-issue the request.

Error Message

Requested principal and ticket don't match
Reason Occurred

The service principal you are connecting to and the service ticket you have do not match.

Solution

Make sure DNS is functioning properly. If you are using another vendor's software, make sure it is using principal names correctly.

Error Message

Requested protocol version not supported
Reason Occurred

Most likely a Kerberos V4 request was sent to the KDC. SEAM supports only the Kerberos V5 protocol.

Solution

Make sure your applications are using the Kerberos V5 protocol.

Error Message

Required parameters in krb5.conf missing while initializing kadmin interface
Reason Occurred

There is a missing parameter (such as the admin_server parameter) in the kr5.conf file.

Solution

Determine what the missing parameter is and add it to krb5.conf.

Error Message

Server refused to negotiate encryption. Good bye.
Reason Occurred

Encryption could not be negotiated with the server.

Solution

Start authentication debugging by invoking the telnet command toggle encdebug and look at the debug messages for further clues.

Error Message

Server rejected authentication (during sendauth exchange)
Reason Occurred

The server you are trying to communicate with rejected the authentication. Most often this error occurs when doing Kerberos database propagation. Some common causes may be problems with the kpropd.acl file, DNS, or keytabs.

Solution

If you get this error when running applications other than kprop, investigate whether the server's keytab is correct.

Error Message

The ticket isn't for us
OR

Ticket/authenticator don't match
Reason Occurred

There was a mismatch between the ticket and authenticator. The principal name in the request may not have matched the service principal's name, because the ticket was being sent with an FQDN name of the principal while the service expected non-FQDN or vice versa.

Solution

Make sure the service principal you are using is correct.

Error Message

Ticket expired
Reason Occurred

Your ticket times have expired.

Solution

Destroy your tickets with kdestroy and create new tickets with kinit.

Error Message

Ticket is ineligible for postdating
Reason Occurred

The principal does not allow its tickets to be postdated.

Solution

Modify the principal with kadmin(1M) to allow postdating.

Error Message

Ticket not yet valid
Reason Occurred

The postdated ticket is not valid yet.

Solution

Create new tickets with the correct date or wait until the current tickets are valid.

Error Message

Truncated input file detected
Reason Occurred

The database dump file being used in the operation is not a complete dump file.

Solution

Create the dump file again or use a different database dump file.

Error Message

Unable to connect with Kerberos V5 and provide encryption service
 
OR
 
Unable to connect with Kerberos V5, using normal rlogin
Reason Occurred

A Kerberized session could not be established with the appropriate service (kshell for rsh and rcp, eklogin or klogin for rlogin) on the server. This may be due to invalid credentials.

Solution

  1. Make sure your credentials are valid. Destroy your tickets with kdestroy and create new tickets with kinit.

  2. Make sure the target host has a keytab with the correct version of the service key. Use kadmin(1M) to view the key version number of the service principal (for example, host/FQDN_hostname) in the Kerberos database and use klist -k on the target host to make sure it has the same key version number.

  3. Make sure there are entries for the services (klogin, eklogin, and kshell) in /etc/inetd.conf on the target host.

Error Message

Unable to securely authenticate user ... exit
Reason Occurred

Authentication could not be negotiated with the server.

Solution

Start authentication debugging by invoking the telnet command toggle authdebug and look at the debug messages for further clues. Also, make sure you have valid credentials.

Error Message

Wrong principal in request
Reason Occurred

There was an invalid principal name in the ticket. It may be a DNS or FQDN problem.

Solution

Make sure the principal of the service matches the principal in the ticket.

Error Message

You are using an old Kerberos5 client without checksum support; 
only newer clients are authorized.
Reason Occurred

Authentication with checksum was not negotiated with the client. The client may be using an old Kerberos V5 protocol that does not support initial connection support.

Solution

Make sure the client is using a Kerberos V5 protocol that supports initial connection support.