Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Common Kerberos Error Messages (N-Z)

This section provides an alphabetical list (N-Z) of common error messages for the Kerberos commands, Kerberos daemons, PAM framework, GSS interface, the NFS service, and the Kerberos library.

No credentials cache file found

Cause: Kerberos could not find the credentials cache (/tmp/krb5cc_uid).

Solution: Make sure that the credential file exists and is readable. If it is not, try running the kinit command again.

No credentials were supplied, or the credentials were unavailable or inaccessible

No credential cache found

Cause: The user's credential cache is incorrect or does not exist.

Solution: The user must run kinit before trying to start the service.

No credentials were supplied, or the credentials were unavailable or inaccessible

No principal in keytab ('filename') matches desired name principal

Cause: An error occurred during an attempt to authenticate the server.

Solution: Make sure that the host or service principal is in the server's keytab file.

Operation requires “privilege” privilege

Cause: The admin principal that was being used is not assigned the appropriate privilege in the kadm5.acl file.

Solution: Use a principal that has the appropriate privileges. Or, configure the principal that was being used to have the appropriate privileges. Usually, a principal with /admin as part of its name has the appropriate privileges.

PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found

Cause: The remote application tried to read the host's service principal in the local /etc/krb5/krb5.keytab file, but one does not exist.

Solution: Add the host's service principal to the host's keytab file.

Permission denied in replay cache code

Cause: The system's replay cache could not be opened. Your server might have been first run under a user ID different than your current user ID.

Solution: Make sure that the replay cache has the appropriate permissions. The replay cache is stored on the host where the Kerberized server application is running. The replay cache file is called /var/krb5/rcache/rc_service_name_uid for non-root users. For root users the replay cache file is called /var/krb5/rcache/root/rc_service_name.

Protocol version mismatch

Cause: Most likely, a Kerberos V4 request was sent to the KDC. The Kerberos service supports only the Kerberos V5 protocol.

Solution: Make sure that your applications are using the Kerberos V5 protocol.

Request is a replay

Cause: The request has already been sent to this server and processed. The tickets might have been stolen, and someone else is trying to reuse the tickets.

Solution: Wait for a few minutes, and reissue the request.

Requested principal and ticket don't match: Requested principal is 'service-principal' and TGT principal is 'TGT-principal'

Cause: The service principal that you are connecting to and the service ticket that you have do not match.

Solution: Make sure that DNS is functioning properly. If you are using another vendor's software, make sure that the software is using principal names correctly.

Server refused to negotiate authentication, which is required for encryption. Good bye.

Cause: The remote application is not capable or has been configured not to accept Kerberos authentication from the client.

Solution: Provide a remote application that can negotiate authentication or configure the application to use the appropriate flags to turn on authentication.

Server rejected authentication (during sendauth exchange)

Cause: The server that you are trying to communicate with rejected the authentication. Most often, this error occurs during Kerberos database propagation. Some common causes might be problems with the kpropd.acl file, DNS, or the keytab file.

Solution: If you get this error when you are running applications other than kprop, investigate whether the server's keytab file is correct.

Target name principal 'principal' does not match service-principal

Cause: The service principal that is being used does not match the service principal that the application server is using.

Solution: On the application server, make sure that the service principal is included in the keytab file. For the client, make sure that the correct service principal is being used.

The ticket isn't for us

Ticket/authenticator do not match.

Cause: The principal name in the request might not have matched the service principal's name. Either because the ticket was being sent with an FQDN name of the principal while the service expected a non-FQDN name, or a non-FQDN name was sent when the service expected an FQDN name.

Solution: If you get this error when you are running applications other than kprop, investigate whether the server's keytab file is correct.

Truncated input file detected

Cause: The database dump file that was being used in the operation is not a complete dump file.

Solution: Create the dump file again, or use a different database dump file.