This section provides an alphabetical list (A-M) of common error messages for the Kerberos commands, Kerberos daemons, PAM framework, GSS interface, the NFS service, and the Kerberos library.
Bad lifetime value
Cause: The lifetime value provided is not valid or incorrectly formatted.
Solution: Make sure that the value provided is consistent with the Time Formats section in the kinit(1) man page.
Bad start time value
Cause: The start time value provided is not valid or incorrectly formatted.
Solution: Make sure that the value provided is consistent with the Time Formats section in the kinit(1) man page.
Cannot contact any KDC for requested realm
Cause: No KDC responded in the requested realm.
Solution: Make sure that at least one KDC (either the master or a slave) is reachable or that the krb5kdc daemon is running on the KDCs. Check the /etc/krb5/krb5.conf file for the list of configured KDCs (kdc = kdc-name).
Cannot determine realm for host: host is 'hostname'
Cause: Kerberos cannot determine the realm name for the host.
Solution: Make sure that there is a default realm name, or that the domain name mappings are set up in the Kerberos configuration file (krb5.conf).
Cannot find a kadmin KDC entry in krb5.conf(4) or DNS Service Location records for realm 'realmname'
Cannot find a kpassword KDC entry in krb5.conf(4) or DNS Service Location records for realm 'realmname'
Cannot find a master KDC entry in krb5.conf(4) or DNS Service Location records for realm 'realmname'
Cannot find any KDC entries in krb5.conf(4) or DNS Service Location records for realm 'realmname'
Cause: Either the krb5.conf file or the DNS server record are incorrectly configured.
Solution: Make sure that the Kerberos configuration file (/etc/krb5/krb5.conf) or that the DNS server records for the KDC are configured properly.
Cannot find address for 'hostname': 'error-string'
Cause: No address was found in the DNS records for the given hostname.
Solution: Fix the host record in DNS or correct the error in the DNS lookup process.
cannot initialize realm realm-name
Cause: The KDC might not have a stash file.
Solution: Make sure that the KDC has a stash file. If not, create a stash file by using the kdb5_util command, and try restarting the krb5kdc command.
Cannot resolve KDC for requested realm
Cause: Kerberos cannot determine any KDC for the realm.
Solution: Make sure that the Kerberos configuration file (krb5.conf) specifies a KDC in the realm section.
Cannot resolve network address for KDCs 'hostname' discovered via DNS Service Location records for realm 'realm-name'
Cannot resolve network address for KDCs 'hostname' specified in krb5.conf(4) for realm 'realm-name'
Cause: Either the krb5.conf file or the DNS server record is incorrectly configured.
Solution: Make sure that the Kerberos configuration file (/etc/krb5/krb5.conf) and the DNS server records for the KDC are configured properly.
Can't open/find Kerberos configuration file
Cause: The Kerberos configuration file (krb5.conf) was unavailable.
Solution: Make sure that the krb5.conf file is available in the correct location and has the correct permissions. This file should be writable by root and readable by everyone else.
Client 'principal' pre-authentication failed
Cause: Authentication failed for the principal.
Solution: Make sure that the user is using the correct password.
Client or server has a null key
Cause: The principal has a null key.
Solution: Modify the principal to have a non-null key by using the cpw command of kadmin.
Communication failure with server while initializing kadmin interface
Cause: The host that was specified for the master KDC did not have the kadmind daemon running.
Solution: Make sure that you specified the correct host name for the master KDC. If you specified the correct host name, make sure that kadmind is running on the master KDC that you specified.
Credentials cache file permissions incorrect
Cause: You do not have the appropriate read or write permissions on the credentials cache (/tmp/krb5cc_uid).
Solution: Make sure that you have read and write permissions on the credentials cache.
Credentials cache I/O operation failed XXX
Cause: Kerberos had a problem writing to the system's credentials cache (/tmp/krb5cc_uid).
Solution: Make sure that the credentials cache has not been removed, and that there is space left on the device by using the df command.
Decrypt integrity check failed
Cause: You might have an invalid ticket.
Solution: Verify both of the following conditions:
Make sure that your credentials are valid. Destroy your tickets with kdestroy, and create new tickets with kinit.
Make sure that the target host has a keytab file with the correct version of the service key. Use kadmin to view the key version number of the service principal (for example, host/FQDN-hostname) in the Kerberos database. Also, use the klist -k command on the target host to make sure that it has the same key version number.
Decrypt integrity check failed for client 'principal' and server 'hostname'
Cause: You might have an invalid ticket.
Solution: Make sure that your credentials are valid. Destroy your tickets with the kdestroy command, and create new tickets with the kinit command.
failed to obtain credentials cache
Cause: During kadmin initialization, a failure occurred when kadmin tried to obtain credentials for the admin principal.
Solution: Make sure that you used the correct principal and password when you executed the kadmin command.
Field is too long for this implementation
Cause: The message size that was being sent by a Kerberized application was too long. This error could be generated if the transport protocol is UDP. which has a default maximum message size 65535 bytes. In addition, there are limits on individual fields within a protocol message that is sent by the Kerberos service.
Solution: Verify that you have not restricted the transport to UDP in the KDC server's /etc/krb5/kdc.conf file.
GSS-API (or Kerberos) error
Cause: This message is a generic GSS-API or Kerberos error message and can be caused by several different problems.
Solution: Check the /var/krb5/kdc.log file to find the more specific error message that was logged when this error occurred.
Improper format of Kerberos configuration file
Cause: The Kerberos configuration file has invalid entries.
Solution: Make sure that all the relations in the krb5.conf file are followed by the “=” sign and a value. Also, verify that the brackets are present in pairs for each subsection.
Invalid credential was supplied
Service key not available
Cause: The service ticket in the credentials cache may be incorrect.
Solution: Destroy current credential cache and rerun the kinit command before trying to use this service.
Invalid flag for file lock mode
Cause: An internal Kerberos error occurred.
Solution: Please report a bug.
Invalid message type specified for encoding
Cause: Kerberos did not recognize the message type that was sent by the Kerberized application.
Solution: If you are using a Kerberized application that was developed by your site or a vendor, make sure that it is using Kerberos correctly.
kadmin: Bad encryption type while changing host/FQDN's key
Cause: More default encryption types are included in the base release in newer releases. Clients can request encryption types that might not be supported by a KDC running an older version of the software.
Solution: Set permitted_enctypes in krb5.conf on the client to not include the aes256 encryption type. This step will need to be done on each new client.
KDC can't fulfill requested option
Cause: The KDC did not allow the requested option. A possible problem might be that postdating or forwardable options were being requested, and the KDC did not allow them. Another problem might be that you requested the renewal of a TGT, but you didn't have a renewable TGT.
Solution: Determine if you are either requesting an option that the KDC does not allow or a type of ticket that is not available.
KDC reply did not match expectation: KDC not found. Probably got an unexpected realm referral
Cause: The KDC reply did not contain the expected principal name, or other values in the response were incorrect.
Solution: Make sure that the KDC you are communicating with complies with RFC4120, that the request you are sending is a Kerberos V5 request, and that the KDC is available.
kdestroy: Could not obtain principal name from cache
Cause: The credentials cache is missing or corrupted.
Solution: Check that the cache location provided is correct. Remove and obtain a new TGT by using kinit, if necessary.
kdestroy: No credentials cache file found while destroying cache
Cause: The credentials cache (/tmp/krb5c_uid) is missing or corrupted.
Solution: Check that the cache location provided is correct. Remove and obtain a new TGT using kinit, if necessary.
kdestroy: TGT expire warning NOT deleted
Cause: The credentials cache is missing or corrupted.
Solution: Check that the cache location provided is correct. Remove and obtain a new TGT using kinit, if necessary.
Kerberos authentication failed
Cause: The Kerberos password is either incorrect or the password might not be synchronized with the UNIX password.
Solution: If the passwords are not synchronized, then you must specify the Kerberos password to complete authentication. It is possible that the user has forgotten their original password.
Key version number is not available for principal principal
Cause: The key version of the keys does not match the version for the keys on the application server.
Solution: Check the version of the keys on the application server using the klist -k command.
Key version number for principal in key table is incorrect
Cause: A principal's key version in the keytab file is different from the version in the Kerberos database. Either a service's key has been changed, or you might be using an old service ticket.
Solution: If a service's key has been changed (for example, by using kadmin), you need to extract the new key and store it in the host's keytab file where the service is running.Or, you might be using an old service ticket that has an older key. You might want to run the kdestroy command and then the kinit command again.
kinit: gethostname failed
Cause: An error in the local network configuration is causing kinit to fail.
Solution: Make sure that the host is configured correctly.
login: load_modules: can not open module /usr/lib/security/pam_krb5.so.1
Cause: Either the Kerberos PAM module is missing or it is not a valid executable binary.
Solution: Make sure that the Kerberos PAM module is in the /usr/lib/security directory and that it is a valid executable binary. Also, make sure that your PAM configuration file for login contains the correct path to pam_krb5.so.1.
Looping detected getting initial creds: 'client-principal' requesting ticket 'service-principal'. Max loops is value. Make sure a KDC is available.
Cause: Kerberos made several attempts to get the initial tickets but failed.
Solution: Make sure that at least one KDC is responding to authentication requests.
Master key does not match database
Cause: The loaded database dump was not created from a database that contains the master key. The master key is located in /var/krb5/.k5.REALM.
Solution: Make sure that the master key in the loaded database dump matches the master key that is located in /var/krb5/.k5.REALM.
Matching credential not found
Cause: The matching credential for your request was not found. Your request requires credentials that are unavailable in the credentials cache.
Solution: Destroy your tickets with kdestroy, and create new tickets with kinit.
Message out of order
Cause: Messages that were sent when using sequential-order privacy arrived out of order. Some messages might have been lost in transit.
Solution: You must reinitialize the Kerberos session.
Message stream modified
Cause: The computed checksum and the message checksum do not match. The message might have been modified in transit, which can indicate a security leak.
Solution: Make sure that the messages are being sent across the network correctly. Because this message can also indicate the possible tampering of messages while they are being sent, destroy your tickets and reinitialize the Kerberos services that you are using.