sun.com   |  docs.sun.com
How To Buy  |  My Sun  |  Worldwide Sites
         
 
Sun Microsystems Logo
 Products and Services
 		 Support and Training
 
 
System Administration Guide: Security Services >> 16.  SEAM Error Messages and Troubleshooting >> SEAM Error Messages >> Common SEAM Error Messages (A-M) 

Previous Previous     Contents     Index     Next Next

 

login: load_modules: can not open module /usr/lib/security/pam_krb5.so.1

Cause: Either the Kerberos PAM module is missing or it is not a valid executable binary.

Solution: Make sure that the Kerberos PAM module is in the /usr/lib/security directory and that it is a valid executable binary. Also, make sure that the /etc/pam.conf file contains the correct path to pam_krb5.so.1.

 

Looping detected inside krb5_get_in_tkt

Cause: Kerberos made several attempts to get the initial tickets but failed.

Solution: Make sure that at least one KDC is responding to authentication requests.

 

Master key does not match database

Cause: The loaded database dump was not created from a database that contains the master key, which is located in /var/krb5/.k5.REALM.

Solution: Make sure that the master key in the loaded database dump matches the master key that is located in /var/krb5/.k5.REALM.

 

Matching credential not found

Cause: The matching credential for your request was not found. Your request requires credentials that are unavailable in the credentials cache.

Solution: Destroy your tickets with kdestroy and create new tickets with kinit.

 

Message out of order

Cause: Messages that were sent using sequential-order privacy arrived out of order. Some messages might have been lost in transit.

Solution: You should reinitialize the Kerberos session.

 

Message stream modified

Cause: There was a mismatch between the computed checksum and the message checksum. The message might have been modified while in transit, which can indicate a security leak.

Solution: Make sure that the messages are being sent across the network correctly. Since this message can also indicate the possible tampering of messages while they are being sent, destroy your tickets using kdestroy and reinitialize the Kerberos services that you are using.

Common SEAM Error Messages (N-Z)

This section provides an alphabetical list (N-Z) of common error messages for the SEAM commands, SEAM daemons, PAM framework, GSS interface, the NFS service, and the Kerberos library.

 

No credentials cache file found

Cause: Kerberos could not find the credentials cache (/tmp/krb5cc_uid).

Solution: Make sure that the credential file exists and is readable. If it isn't, try performing the kinit again.

 

Operation requires "privilege" privilege

Cause: The admin principal that was being used does not have the appropriate privilege configured in the kadm5.acl file.

Solution: Use a principal that has the appropriate privileges. Or, configure the principal that was being used to have the appropriate privileges by modifying the kadm5.acl file. Usually, a principal with "/admin" as part of its name has the appropriate privileges.

 

PAM-KRB5: Kerberos V5 authentication failed: password incorrect

Cause: Your UNIX password and Kerberos passwords are different. Most non-Kerberized commands, such as login, are set up through PAM to automatically authenticate with Kerberos by using the same password that you specified for your UNIX password. If your passwords are different, the Kerberos authentication fails.

Solution: You must enter your Kerberos password when prompted.

 

Password is in the password dictionary

Cause: The password that you entered is in a password dictionary that is being used. Your password is not a good choice for a password.

Solution: Choose a password that has a mix of password classes.

 

Permission denied in replay cache code

Cause: The system's replay cache could not be opened. The server might have been first run under a user ID different than your current user ID.

Solution: Make sure that the replay cache has the appropriate permissions. The replay cache is stored on the host where the Kerberized server application is running (/usr/tmp/rc_service_name). Instead of changing the permissions on the current replay cache, you can also remove the replay cache before you run the Kerberized server under a different user ID.

 

Protocol version mismatch

Cause: Most likely, a Kerberos V4 request was sent to the KDC. SEAM supports only the Kerberos V5 protocol.

Solution: Make sure that your applications are using the Kerberos V5 protocol.

 

Request is a replay

Cause: The request has already been sent to this server and processed. The tickets might have been stolen, and someone else is trying to reuse the tickets.

Solution: Wait for a few minutes and reissue the request.

 

Requested principal and ticket don't match

Cause: The service principal that you are connecting to and the service ticket that you have do not match.

Solution: Make sure that DNS is functioning properly. If you are using another vendor's software, make sure that the software is using principal names correctly.

 

Requested protocol version not supported

Cause: Most likely, a Kerberos V4 request was sent to the KDC. SEAM supports only the Kerberos V5 protocol.

Solution: Make sure that your applications are using the Kerberos V5 protocol.

 

Required parameters in krb5.conf missing while initializing kadmin interface

Cause: There is a missing parameter (such as the admin_server parameter) in the krb5.conf file.

Solution: Determine which parameter is missing and add it to the krb5.conf file.

 

Server rejected authentication (during sendauth exchange)

Cause: The server that you are trying to communicate with rejected the authentication. Most often this error occurs during Kerberos database propagation. Some common causes might be problems with the kpropd.acl file, DNS, or the keytab file.

Solution: If you get this error when you are running applications other than kprop, investigate whether the server's keytab file is correct.

 

Set gss service nfs@<host> failed. Check nfs service credential.

Cause: This message is generated by syslog after a share command has failed with an "invalid argument" message. The most likely cause of this message is that either there is no keytab file or that there is no NFS service principle in the keytab file.

Solution: To isolate the problem, run klist -k to see if the keytab file exists and if there is an NFS service principal for the host in the keytab file.

 

The ticket isn't for us

Ticket/authenticator don't match

Cause: There was a mismatch between the ticket and authenticator. The principal name in the request might not have matched the service principal's name, because the ticket was being sent with an FQDN name of the principal while the service expected non-FQDN, or vice versa.

Solution: If you get this error when you are running applications other than kprop, investigate whether the server's keytab file is correct.

 

Ticket expired

Cause: Your ticket times have expired.

Solution: Destroy your tickets with kdestroy and create new tickets with kinit.

Previous Previous     Contents     Index     Next Next
 
Copyright 1994-2003 Sun Microsystems