Common SEAM Error Messages (A-M)

This section provides an alphabetical list (A-M) of the more common error messages for the SEAM commands, SEAM daemons, PAM framework, GSS interface, and the Kerberos library.

Error Message

major_error minor_error gssapi error importing name

Reason Occurred

An error occurred while importing a service name.

Solution

Make sure the host or ftp service principal is in the host's keytab file.

Error Message

All authentication systems disabled; connection refused

Reason Occurred

This version of rlogind does not support any authentication mechanism.

Solution

Make sure that rlogind is invoked with the -k option. In fact, this should be the default specified in the inetd.conf file.

Error Message

Another authentication mechanism must be used to access this host

Reason Occurred

Authentication could not be done.

Solution

Make sure the client is using Kerberos V5 for authentication.

Error Message

Authentication negotiation has failed, which is required for encryption. Good bye.

Reason Occurred

Authentication could not be negotiated with the server.

Solution

Start authentication debugging by invoking the telnet command toggle authdebug and look at the debug messages for further clues. Also, make sure you have valid credentials.

Error Message

Bad krb5 admin server hostname while initializing kadmin interface

Reason Occurred

An invalid host name is configured for the admin server (master KDC) in the krb5.conf file.

Solution

Make sure the correct host name is specified in the krb5.conf file for the admin server (master KDC).

Error Message

Cannot contact any KDC for requested realm

Reason Occurred

No KDC responded in the requested realm.

Solution

Make sure at least one KDC (either the master or slave) is reachable or that the krb5kdc daemon is running on the KDCs. Look in /etc/krb5/krb5.conf for the list of configured KDCs (kdc = kdc_name).

Error Message

Cannot determine realm for host

Reason Occurred

Kerberos cannot determine the realm name for the host.

Solution

Make sure there is a default realm name or the domain name mappings are set up in the Kerberos configuration file (krb5.conf) .

Error Message

Cannot encrypt-write network

Reason Occurred

Problem occurred in encrypting data.

Solution

Check for other possible problems in the system. Examine other syslog messages for further clues.

Error Message

Cannot find KDC for requested realm

Reason Occurred

No KDC was found in the requested realm.

Solution

Make sure the Kerberos configuration file (krb5.conf) specifies a KDC in the realm section.

Error Message

cannot initialize realm realm_name

Reason Occurred

The KDC may not have a stash file.

Solution

Make sure the KDC has a stash file. If not, create one using the kdb5_util(1M) command and try running krb5kdc again (/etc/init.d/kdc).

Error Message

Cannot resolve KDC for requested realm

Reason Occurred

Kerberos cannot determine any KDC for the realm.

Solution

Make sure the Kerberos configuration file (krb5.conf) specifies a KDC in the realm section.

Error Message

Cannot reuse password

Reason Occurred

The password you entered has been used before by this principal.

Solution

Choose a password that has not been chosen before, at least not within the number of passwords kept in the KDC database for each principal (this is enforced by the principal's policy).

Error Message

Can't get forwarded credentials

Reason Occurred

Credential forwarding could not be established.

Solution

Make sure the principal has forwardable credentials.

Error Message

Can't open/find Kerberos configuration file

Reason Occurred

The Kerberos configuration file (krb5.conf) was not available.

Solution

Make sure the krb5.conf file is available in the correct location and has the correct permissions (it should be writable by root and readable by everyone else).

Error Message

Client did not supply required checksum--connection rejected

Reason Occurred

Authentication with checksum was not negotiated with the client. The client may be using an old Kerberos V5 protocol that does not support initial connection support.

Solution

Make sure the client is using a Kerberos V5 protocol that supports initial connection support.

Error Message

Client/server realm mismatch in initial ticket request

Reason Occurred

A realm mismatch between the client and server occured in the initial ticket request.

Solution

Make sure the server you are communicating with is in the same realm as the client or that the realm configurations are correct.

Error Message

Client or server has a null key

Reason Occurred

The principal has a null key.

Solution

Modify the principal to have a non-null key by using the cpw command of kadmin(1M).

Error Message

Communication failure with server while initializing kadmin interface

Reason Occurred

The host entered for the admin server (master KDC) did not have kadmind running.

Solution

Make sure you specified the correct host name for the master KDC. If you specified the correct host name, make sure that kadmind is running on the master KDC you specified.

Error Message

Configuration error: Requiring checksums with -c is inconsistent with allowing Kerberos V4 connections

Reason Occurred

Authentication with checksum was not negotiated with the client. The client might be using an old Kerberos V5 protocol that does not support initial connection support.

Solution

Make sure the client is using a Kerberos V5 protocol that supports initial connection support.

Error Message

Credentials cache file permissions incorrect

Reason Occurred

You do not have the appropriate read or write permissions on the credentials cache (/tmp/krb5cc_uid).

Solution

Make sure you have read and write permissions on the credentials cache.

Error Message

Credentials cache I/O operation failed XXX

Reason Occurred

Kerberos had a problem writing to the system's credentials cache (/tmp/krb5cc_uid).

Solution

Make sure the credentials cache has not been removed and there is space left on the device by using the df command.

Error Message

Decrypt integrity check failed

Reason Occurred

You might have an invalid ticket.

Solution

1. Make sure your credentials are valid. Destroy your tickets with kdestroy and create new tickets with kinit.

2. Make sure the target host has a keytab with the correct version of the service key. Use kadmin(1M) to view the key version number of the service principal (for example, host/FQDN_hostname) in the Kerberos database and use klist -k on the target host to make sure it has the same key version number.

Error Message

des_read retry count exceeded

Reason Occurred

An error repeatedly occurred while reading data.

Solution

Check for other possible problems in the system. Examine other syslog messages for further clues.

Error Message

df: cannot statvfs filesystem: Invalid argument

Reason Occurred

The df command cannot access the Kerberized NFS file system, which is currently mounted, to generate its report, because you no longer have the appropriate root credentials. Destroying your credentials for a mounted Kerberized file system does not automatically unmount the file system.

Solution

You must create new root credentials to access the Kerberized file system. If you no longer require access to the Kerberized file system, unmount the file system.

Error Message

Encryption could not be enabled. Goodbye.

Reason Occurred

Encryption could not be negotiated with the server.

Solution

Start authentication debugging by invoking the telnet command toggle encdebug and look at the debug messages for further clues.

Error Message

Encryption was not successfully negotiated. Goodbye.

Reason Occurred

Encryption could not be negotiated.

Solution

Check for error messages in the KDC logging file.

Error Message

End of credential cache reached

Reason Occurred

An error occurred while reading the credentials cache (/tmp/krb5cc_uid).

Solution

Make sure the credentials cache is readable and contains data.

Error Message

failed to obtain credentials cache

Reason Occurred

During kadmin initialization, a failure occurred when kadmin tried to obtain credentials for the admin principal.

Solution

Make sure you used the correct principal and/or password when executing kadmin.

Error Message

Field is too long for this implementation

Reason Occurred

The message size being sent by a Kerberized application was too long. The maximum message size that can be handled by Kerberos is 65535 bytes. In addition, there are limits on individual fields within a protocol message sent by Kerberos.

Solution

Make sure that your Kerberized applications are sending valid message sizes.

Error Message

GSS-API (or Kerberos) error

Reason Occurred

This is a generic GSS-API or Kerberos error message and can be caused by several different problems.

Solution

Look at the /etc/krb5/kdc.log file to find the more specific GSS-API error message that was logged when this error occurred.

Error Message

Hostname cannot be canonicalized

Reason Occurred

Kerberos cannot make the host name fully qualified.

Solution

Make sure the host name is in DNS and the host-name-to-address and address-to-host-name mappings are consistent.

Error Message

Illegal cross-realm ticket

Reason Occurred

The ticket sent did not have the correct cross-realms. The realms may not have the correct trust relationships set up.

Solution

Make sure the realms you are using have the correct trust relationships.

Error Message

Improper format of Kerberos configuration file

Reason Occurred

The Kerberos configuration file (krb5.conf) has invalid entries.

Solution

Make sure all the relations in the krb5.conf file are followed by the "=" sign and a value, and verify that the brackets are present in pairs for each subsection.

Error Message

Inappropriate type of checksum in message

Reason Occurred

The message contained an invalid checksum type.

Solution

Check which valid checksum types are specified in the krb5.conf and kdc.conf files.

Error Message

Incorrect net address

Reason Occurred

There was a mismatch in the network address. The network address in the ticket being forwarded was different from the network address where the ticket was processed. This may occur when forwarding tickets.

Solution

Make sure the network addresses are correct; destroy your tickets with kdestroy, and create new tickets with kinit.

Error Message

Invalid flag for file lock mode

Reason Occurred

An internal Kerberos error occurred.

Solution

Please report a bug.

Error Message

Invalid message type specified for encoding

Reason Occurred

Kerberos could not recognize the message type sent by the Kerberized application.

Solution

If you are using a Kerberized application developed by your site or a vendor, make sure it is using Kerberos correctly.

Error Message

Invalid number of character classes

Reason Occurred

The password you entered for the principal does not contain enough password classes, as enforced by the principal's policy.

Solution

Make sure you enter a password with the minimum number of password classes that the policy requires.

Error Message

KADM err: Memory allocation failure

Reason Occurred

There is not enough memory to run kadmin.

Solution

Free up memory and try running kadmin again.

Error Message

KDC can't fulfill requested option

Reason Occurred

The KDC did not allow the requested option. A possible problem may be that postdating or forwardable options were being requested and the KDC did not allow it. Another problem may be that you requested the renewal of a TGT but you didn't have a renewable TGT.

Solution

Determine if you are requesting an option that either the KDC does not allow or if you are requesting something you don't have.

Error Message

KDC policy rejects request

Reason Occurred

The KDC policy did not allow the request. For example, the request to the KDC did not have an IP address in its request, or forwarding was requested but the KDC did not allow it.

Solution

Make sure you are using kinit with the correct options. If necessary, modify the policy associated with the principal or change the principal's attributes to allow the request. You can modify the policy or principal by using kadmin(1M).

Error Message

KDC reply did not match expectations

Reason Occurred

The KDC reply did not contain the expected principal name, or other values in the response were incorrect.

Solution

Make sure the KDC you are communicating with complies with RFC1510, the request you are sending is a Kerberos V5 request, or that the KDC is available.

Error Message

Kerberos V5 refuses authentication

Reason Occurred

Authentication could not be negotiated with the server.

Solution

Start authentication debugging by invoking the telnet command toggle authdebug and look at the debug messages for further clues. Also, make sure you have valid credentials.

Error Message

Key table entry not found

Reason Occurred

There is no entry for the service principal in the network application server's keytab.

Solution

Add the appropriate service principal to the server's keytab so it can provide the Kerberized service.

Error Message

Key version number for principal in key table is incorrect

Reason Occurred

A principal's key version is different in the keytab and in the Kerberos database. Either a service's key has been changed or you may be using an old service ticket.

Solution

If a service's key has been changed (for example, by using kadmin) , you need to extract the new key and store it in the host's keytab where the service is running.

Alternately, you may be using an old service ticket that has an older key. You may want to do a kdestroy and then a kinit again.

Error Message

login: load_modules: can not open module /usr/lib/security/pam_krb5.so.1

Reason Occurred

Either the Kerberos PAM module is missing or it is not a valid executable binary.

Solution

Make sure the Kerberos PAM module is in /usr/lib/security and it is a valid executable binary. Also, make sure /etc/pam.conf contains the correct path to pam_krb5.so.1.

Error Message

Looping detected inside krb5_get_in_tkt

Reason Occurred

Kerberos made several attempts to get the initial tickets but failed.

Solution

Make sure at least one KDC is responding to authentication requests.

Error Message

Master key does not match database

Reason Occurred

The loaded database dump was not created from a database containing the master key, which is located in /var/krb5/.k5.REALM.

Solution

Make sure the master key in the loaded database dump matches the master key located in /var/krb5/.k5.REALM.

Error Message

Matching credential not found

Reason Occurred

The matching credential for request was not found. Your request requires credentials that are not available in the credentials cache.

Solution

Destroy your tickets with kdestroy and create new tickets with kinit.

Error Message

Message out of order

Reason Occurred

Messages sent using sequential-order privacy arrived out of order. Some messages may have been lost in transit.

Solution

You should re-initialize the Kerberos session.

Error Message

Message stream modified

Reason Occurred

There was a mismatch between the computed checksum and message checksum. The message may have been modified while in transit, which may indicate a security leak.

Solution

Make sure that the messages are being sent across the network correctly. Since this message may also indicate possible tampering of messages while they are being sent, destroy your tickets using kdestroy and reinitialize the Kerberos services you are using.