SEAM Error Messages and Troubleshooting

This chapter provides resolutions for error messages that you might receive when you use SEAM, as well as some troubleshooting tips for various problems. This is a list of the error message and troubleshooting information in this chapter.

• SEAM Administration Tool Error Messages

• Common SEAM Error Messages (A-M)

• Common SEAM Error Messages (N-Z)

• Problems Mounting a Kerberized NFS File System

• Problems Authenticating as root

SEAM Error Messages

This section provides information about SEAM error messages, including why each error occurs and a way to fix it.

SEAM Administration Tool Error Messages

Unable to view the list of principals or policies; use the Name field.

Cause: The admin principal that you logged in with does not have the list privilege (l) in the Kerberos ACL file (kadm5.acl), so you cannot view the principal list or policy list.

Solution: You must enter the principal and policy names in the Name field to work on them, or you need to log on with a principal that has the appropriate privileges.

JNI: Java array creation failed

JNI: Java class lookup failed

JNI: Java field lookup failed

JNI: Java method lookup failed

JNI: Java object lookup failed

JNI: Java object field lookup failed

JNI: Java string access failed

JNI: Java string creation failed

Cause: A serious problem exists with the Java Native Interface that is used by the SEAM Administration Tool (gkadmin).

Solution: Exit gkadmin and restart it. If the problem persists, please report a bug.

Common SEAM Error Messages (A-M)

This section provides an alphabetical list (A-M) of common error messages for the SEAM commands, SEAM daemons, PAM framework, GSS interface, the NFS service, and the Kerberos library.

major_error minor_error gssapi error importing name

Cause: An error occurred while a service name was being imported.

Solution: Make sure that the service principal is in the host's keytab file.

Bad krb5 admin server hostname while initializing kadmin interface

Cause: An invalid host name is configured for admin_server in the krb5.conf file.

Solution: Make sure that the correct host name for the master KDC is specified on the admin_server line in the krb5.conf file.

Cannot contact any KDC for requested realm

Cause: No KDC responded in the requested realm.

Solution: Make sure that at least one KDC (either the master or slave) is reachable or that the krb5kdc daemon is running on the KDCs. Check the /etc/krb5/krb5.conf file for the list of configured KDCs (kdc = kdc_name).

Cannot determine realm for host

Cause: Kerberos cannot determine the realm name for the host.

Solution: Make sure that there is a default realm name, or that the domain name mappings are set up in the Kerberos configuration file (krb5.conf).

Cannot find KDC for requested realm

Cause: No KDC was found in the requested realm.

Solution: Make sure that the Kerberos configuration file (krb5.conf) specifies a KDC in the realm section.

cannot initialize realm realm_name

Cause: The KDC might not have a stash file.

Solution: Make sure that the KDC has a stash file. If not, create a stash file by using the kdb5_util command, and try running the krb5kdccommand again. The easiest way to start krb5kdc is to run the /etc/init.d/kdc script.

Cannot resolve KDC for requested realm

Cause: Kerberos cannot determine any KDC for the realm.

Solution: Make sure that the Kerberos configuration file (krb5.conf) specifies a KDC in the realm section.

Cannot reuse password

Cause: The password that you entered has been used before by this principal.

Solution: Choose a password that has not been chosen before, at least not within the number of passwords that are kept in the KDC database for each principal (this policy is enforced by the principal's policy).

Can't get forwarded credentials

Cause: Credential forwarding could not be established.

Solution: Make sure that the principal has forwardable credentials.

Can't open/find Kerberos configuration file

Cause: The Kerberos configuration file (krb5.conf) was unavailable.

Solution: Make sure that the krb5.conf file is available in the correct location and has the correct permissions. This file should be writable by root and readable by everyone else.

Client/server realm mismatch in initial ticket request

Cause: A realm mismatch between the client and server occurred in the initial ticket request.

Solution: Make sure that the server you are communicating with is in the same realm as the client, or that the realm configurations are correct.

Client or server has a null key

Cause: The principal has a null key.

Solution: Modify the principal to have a non-null key by using the cpw command of kadmin.

Communication failure with server while initializing kadmin interface

Cause: The host that was entered for the admin server, also called the master KDC, did not have the kadmind daemon running.

Solution: Make sure that you specified the correct host name for the master KDC. If you specified the correct host name, make sure that kadmind is running on the master KDC that you specified.

Credentials cache file permissions incorrect

Cause: You do not have the appropriate read or write permissions on the credentials cache (/tmp/krb5cc_uid).

Solution: Make sure that you have read and write permissions on the credentials cache.