Common SEAM Error Messages (N-Z)

This section provides an alphabetical list (N-Z) of common error messages for the SEAM commands, SEAM daemons, PAM framework, GSS interface, the NFS service, and the Kerberos library.

No credentials cache file found

Cause:

Kerberos could not find the credentials cache (/tmp/krb5cc_uid).

Solution:

Make sure that the credential file exists and is readable. If it isn't, try performing the kinit again.

Operation requires "privilege" privilege

Cause:

The admin principal that was being used does not have the appropriate privilege configured in the kadm5.acl file.

Solution:

Use a principal that has the appropriate privileges. Or, configure the principal that was being used to have the appropriate privileges by modifying the kadm5.acl file. Usually, a principal with “/admin” as part of its name has the appropriate privileges.

PAM-KRB5: Kerberos V5 authentication failed: password incorrect

Cause:

Your UNIX password and Kerberos passwords are different. Most non-Kerberized commands, such as login, are set up through PAM to automatically authenticate with Kerberos by using the same password that you specified for your UNIX password. If your passwords are different, the Kerberos authentication fails.

Solution:

You must enter your Kerberos password when prompted.

Password is in the password dictionary

Cause:

The password that you entered is in a password dictionary that is being used. Your password is not a good choice for a password.

Solution:

Choose a password that has a mix of password classes.

Permission denied in replay cache code

Cause:

The system's replay cache could not be opened. The server might have been first run under a user ID different than your current user ID.

Solution:

Make sure that the replay cache has the appropriate permissions. The replay cache is stored on the host where the Kerberized server application is running (/usr/tmp/rc_service_name). Instead of changing the permissions on the current replay cache, you can also remove the replay cache before you run the Kerberized server under a different user ID.

Protocol version mismatch

Cause:

Most likely, a Kerberos V4 request was sent to the KDC. SEAM supports only the Kerberos V5 protocol.

Solution:

Make sure that your applications are using the Kerberos V5 protocol.

Request is a replay

Cause:

The request has already been sent to this server and processed. The tickets might have been stolen, and someone else is trying to reuse the tickets.

Solution:

Wait for a few minutes and reissue the request.

Requested principal and ticket don't match

Cause:

The service principal that you are connecting to and the service ticket that you have do not match.

Solution:

Make sure that DNS is functioning properly. If you are using another vendor's software, make sure that the software is using principal names correctly.

Requested protocol version not supported

Cause:

Most likely, a Kerberos V4 request was sent to the KDC. SEAM supports only the Kerberos V5 protocol.

Solution:

Make sure that your applications are using the Kerberos V5 protocol.

Required parameters in krb5.conf missing while initializing kadmin interface

Cause:

There is a missing parameter (such as the admin_server parameter) in the krb5.conf file.

Solution:

Determine which parameter is missing and add it to the krb5.conf file.

Server rejected authentication (during sendauth exchange)

Cause:

The server that you are trying to communicate with rejected the authentication. Most often this error occurs during Kerberos database propagation. Some common causes might be problems with the kpropd.acl file, DNS, or the keytab file.

Solution:

If you get this error when you are running applications other than kprop, investigate whether the server's keytab file is correct.

Set gss service nfs@<host> failed. Check nfs service credential.

Cause:

This message is generated by syslog after a share command has failed with an “invalid argument” message. The most likely cause of this message is that either there is no keytab file or that there is no NFS service principle in the keytab file.

Solution:

To isolate the problem, run klist -k to see if the keytab file exists and if there is an NFS service principal for the host in the keytab file.

The ticket isn't for us

Ticket/authenticator don't match

Cause:

There was a mismatch between the ticket and authenticator. The principal name in the request might not have matched the service principal's name, because the ticket was being sent with an FQDN name of the principal while the service expected non-FQDN, or vice versa.

Solution:

If you get this error when you are running applications other than kprop, investigate whether the server's keytab file is correct.

Ticket expired

Cause:

Your ticket times have expired.

Solution:

Destroy your tickets with kdestroy and create new tickets with kinit.

Ticket is ineligible for postdating

Cause:

The principal does not allow its tickets to be postdated.

Solution:

Modify the principal with kadmin to allow postdating.

Ticket not yet valid

Cause:

The postdated ticket is not valid yet.

Solution:

Create new tickets with the correct date, or wait until the current tickets are valid.

Truncated input file detected

Cause:

The database dump file that was being used in the operation is not a complete dump file.

Solution:

Create the dump file again, or use a different database dump file.

Wrong principal in request

Cause:

There was an invalid principal name in the ticket. This error might indicate a DNS or FQDN problem.

Solution:

Make sure that the principal of the service matches the principal in the ticket.