Common SEAM Error Messages (N-Z)
This section provides an alphabetical list (N-Z) of the more common error messages for the SEAM commands, SEAM daemons, PAM framework, and the Kerberos library.
- Error Message
-
No authentication systems were enabled; all connections will be refused
- Reason Occurred
-
This version of rlogind does not support any authentication mechanism.
- Solution
-
Make sure that rlogind is invoked with the -k option. In fact, this should be the default specified in the inetd.conf file.
- Error Message
-
No credentials cache file found
- Reason Occurred
-
Kerberos could not find the credentials cache (/tmp/krb5cc_uid).
- Solution
-
Make sure the credential file exists and is readable. If it isn't, try performing a kinit again.
- Error Message
-
Operation requires "privilege" privilege
- Reason Occurred
-
The admin principal being used does not have the appropriate privilege configured in the kadm5.acl file.
- Solution
-
Use a principal that has the appropriate privileges or configure the principal being used to have the appropriate privileges by modifying the kadm5.acl file. Usually, a principal with "/admin" as part of its name has the appropriate privileges.
- Error Message
-
PAM-KRB5: Kerberos V5 authentication failed: password incorrect
- Reason Occurred
-
Your UNIX password and Kerberos passwords are different. Most non-Kerberized commands, such as login, are set up through PAM to automatically authenticate with Kerberos by using the same password that you specified for your UNIX password. If your passwords are different, the Kerberos authentication fails.
- Solution
-
You must enter your Kerberos password when prompted.
- Error Message
-
Password is in the password dictionary
- Reason Occurred
-
The password that you entered is in a password dictionary that is being used. It is not a good choice for a password.
- Solution
-
Choose a password that has a mix of password classes.
- Error Message
-
Permission denied in replay cache code
- Reason Occurred
-
The system's replay cache could not be opened. The server may have been first run under a user ID different than your current user ID.
- Solution
-
Make sure the replay cache has the appropriate permissions. The replay cache is stored on the host where the Kerberized server application is running (/usr/tmp/rc_service_name). Instead of changing the permissions on the current replay cache, you can also remove the replay cache before running the Kerberized server under a different user ID.
- Error Message
-
Protocol version mismatch
- Reason Occurred
-
Most likely a Kerberos V4 request was sent to the KDC. SEAM supports only the Kerberos V5 protocol.
- Solution
-
Make sure your applications are using the Kerberos V5 protocol.
- Error Message
-
Request is a replay
- Reason Occurred
-
The request has already been sent to this server and processed. The tickets may have been stolen and someone else is trying to reuse the tickets.
- Solution
-
Wait for a few minutes and re-issue the request.
- Error Message
-
Requested principal and ticket don't match
- Reason Occurred
-
The service principal you are connecting to and the service ticket you have do not match.
- Solution
-
Make sure DNS is functioning properly. If you are using another vendor's software, make sure it is using principal names correctly.
- Error Message
-
Requested protocol version not supported
- Reason Occurred
-
Most likely a Kerberos V4 request was sent to the KDC. SEAM supports only the Kerberos V5 protocol.
- Solution
-
Make sure your applications are using the Kerberos V5 protocol.
- Error Message
-
Required parameters in krb5.conf missing while initializing kadmin interface
- Reason Occurred
-
There is a missing parameter (such as the admin_server parameter) in the kr5.conf file.
- Solution
-
Determine what the missing parameter is and add it to krb5.conf.
- Error Message
-
Server refused to negotiate encryption. Good bye.
- Reason Occurred
-
Encryption could not be negotiated with the server.
- Solution
-
Start authentication debugging by invoking the telnet command toggle encdebug and look at the debug messages for further clues.
- Error Message
-
Server rejected authentication (during sendauth exchange)
- Reason Occurred
-
The server you are trying to communicate with rejected the authentication. Most often this error occurs when doing Kerberos database propagation. Some common causes may be problems with the kpropd.acl file, DNS, or keytabs.
- Solution
-
If you get this error when running applications other than kprop, investigate whether the server's keytab is correct.
- Error Message
-
The ticket isn't for us OR Ticket/authenticator don't match
- Reason Occurred
-
There was a mismatch between the ticket and authenticator. The principal name in the request may not have matched the service principal's name, because the ticket was being sent with an FQDN name of the principal while the service expected non-FQDN or vice versa.
- Solution
-
Make sure the service principal you are using is correct.
- Error Message
-
Ticket expired
- Reason Occurred
-
Your ticket times have expired.
- Solution
-
Destroy your tickets with kdestroy and create new tickets with kinit.
- Error Message
-
Ticket is ineligible for postdating
- Reason Occurred
-
The principal does not allow its tickets to be postdated.
- Solution
-
Modify the principal with kadmin(1M) to allow postdating.
- Error Message
-
Ticket not yet valid
- Reason Occurred
-
The postdated ticket is not valid yet.
- Solution
-
Create new tickets with the correct date or wait until the current tickets are valid.
- Error Message
-
Truncated input file detected
- Reason Occurred
-
The database dump file being used in the operation is not a complete dump file.
- Solution
-
Create the dump file again or use a different database dump file.
- Error Message
-
Unable to connect with Kerberos V5 and provide encryption service OR Unable to connect with Kerberos V5, using normal rlogin
- Reason Occurred
-
A Kerberized session could not be established with the appropriate service (kshell for rsh and rcp, eklogin or klogin for rlogin) on the server. This may be due to invalid credentials.
- Solution
-
-
Make sure your credentials are valid. Destroy your tickets with kdestroy and create new tickets with kinit.
-
Make sure the target host has a keytab with the correct version of the service key. Use kadmin(1M) to view the key version number of the service principal (for example, host/FQDN_hostname) in the Kerberos database and use klist -k on the target host to make sure it has the same key version number.
-
Make sure there are entries for the services (klogin, eklogin, and kshell) in /etc/inetd.conf on the target host.
-
- Error Message
-
Unable to securely authenticate user ... exit
- Reason Occurred
-
Authentication could not be negotiated with the server.
- Solution
-
Start authentication debugging by invoking the telnet command toggle authdebug and look at the debug messages for further clues. Also, make sure you have valid credentials.
- Error Message
-
Wrong principal in request
- Reason Occurred
-
There was an invalid principal name in the ticket. It may be a DNS or FQDN problem.
- Solution
-
Make sure the principal of the service matches the principal in the ticket.
- Error Message
-
You are using an old Kerberos5 client without checksum support; only newer clients are authorized.
- Reason Occurred
-
Authentication with checksum was not negotiated with the client. The client may be using an old Kerberos V5 protocol that does not support initial connection support.
- Solution
-
Make sure the client is using a Kerberos V5 protocol that supports initial connection support.
- © 2010, Oracle Corporation and/or its affiliates