Chapter 3 SEAM Error Messages and Troubleshooting

This chapter provides resolutions for error messages that you might receive when you use SEAM, as well as some troubleshooting tips for various problems. This is a list of the error message and troubleshooting information in this chapter.

• "Common SEAM Error Messages (A-M)"

• "Common SEAM Error Messages (N-Z)"

SEAM Error Messages

This section provides information about SEAM error messages, including why each error occurs and a way to fix it.

Common SEAM Error Messages (A-M)

This section provides an alphabetical list (A-M) of common error messages for the SEAM commands, SEAM daemons, PAM framework, GSS interface, the NFS service, and the Kerberos library.

major_error minor_error gssapi error importing name

Cause:

An error occurred while a service name was being imported.

Solution:

Make sure that thehost or ftp service principal is in the host's keytab file.

All authentication systems disabled; connection refused

Cause:

This version of rlogind does not support any authentication mechanism.

Solution:

Make sure that rlogind is invoked with the -k option. In fact, this should be the default specified in the inetd.conf file.

Another authentication mechanism must be used to access this host

Cause:

Authentication could not be done.

Solution:

Make sure the client is using Kerberos V5 for authentication.

Authentication negotiation has failed, which is required for encryption. Good bye.

Cause:

Authentication could not be negotiated with the server.

Solution:

Start authentication debugging by invoking the telnet command toggle authdebug and look at the debug messages for further clues. Also, make sure you have valid credentials.

Cannot encrypt-write network

Cause:

Problem occurred in encrypting data.

Solution:

Check for other possible problems in the system. Examine other syslog messages for further clues.

Client did not supply required checksum--connection rejected

Cause:

Authentication with checksum was not negotiated with the client. The client may be using an old Kerberos V5 protocol that does not support initial connection support.

Solution:

Make sure that the client is using a Kerberos V5 protocol that supports initial connection support.

Configuration error: Requiring checksums with -c is inconsistent with allowing Kerberos V4 connections

Cause:

Authentication with checksum was not negotiated with the client. The client might be using an old Kerberos V5 protocol that does not support initial connection support.

Solution:

Make sure the client is using a Kerberos V5 protocol that supports initial connection support.

des_read retry count exceeded

Cause:

An error repeatedly occurred while reading data.

Solution:

Check for other possible problems in the system. Examine other syslog messages for further clues.

Encryption could not be enabled. Goodbye.

Cause:

Encryption could not be negotiated with the server.

Solution:

Start authentication debugging by invoking the telnet command toggle encdebug and look at the debug messages for further clues.

Kerberos V5 refuses authentication

Cause:

Authentication could not be negotiated with the server.

Solution:

Start authentication debugging by invoking the telnet command toggle authdebug and look at the debug messages for further clues. Also, make sure you have valid credentials.

login: load_modules: can not open module /usr/lib/security/pam_krb5.so.1

Cause:

Either the Kerberos PAM module is missing or it is not a valid executable binary.

Solution:

Make sure that the Kerberos PAM module is in the /usr/lib/security directory and that it is a valid executable binary. Also, make sure that the /etc/pam.conf file contains the correct path to pam_krb5.so.1.

Common SEAM Error Messages (N-Z)

This section provides an alphabetical list (N-Z) of common error messages for the SEAM commands, SEAM daemons, PAM framework, GSS interface, the NFS service, and the Kerberos library.

No authentication systems were enabled; all connections will be refused

Cause:

This version of rlogind does not support any authentication mechanism.

Solution:

Make sure that rlogind is invoked with the -k option. In fact, this should be the default specified in the inetd.conf file.

Server refused to negotiate encryption. Good bye.

Cause:

Encryption could not be negotiated with the server.

Solution:

Start authentication debugging by invoking the telnet command toggle encdebug and look at the debug messages for further clues.

Unable to connect with Kerberos V5 and provide encryption service

Unable to connect with Kerberos V5, using normal rlogin

Cause:

A Kerberized session could not be established with the appropriate service (kshell for rsh and rcp, eklogin or klogin for rlogin) on the server. This may be due to invalid credentials.

Solution:

1. Make sure your credentials are valid. Destroy your tickets with kdestroy and create new tickets with kinit.

2. Make sure the target host has a keytab with the correct version of the service key. Use kadmin(1M) to view the key version number of the service principal (for example, host/FQDN_hostname) in the Kerberos database and use klist -k on the target host to make sure it has the same key version number.

3. Make sure there are entries for the services (klogin, eklogin, and kshell) in /etc/inetd.conf on the target host.

Unable to securely authenticate user ... exit

Cause:

Authentication could not be negotiated with the server.

Solution:

Start authentication debugging by invoking the telnet command toggle authdebug and look at the debug messages for further clues. Also, make sure you have valid credentials.

You are using an old Kerberos5 client without checksum support; only newer clients are authorized.

Cause:

Authentication with checksum was not negotiated with the client. The client may be using an old Kerberos V5 protocol that does not support initial connection support.

Solution:

Make sure the client is using a Kerberos V5 protocol that supports initial connection support.