Common SEAM Error Messages (N-Z)
This section provides an alphabetical list (N-Z) of common error messages for the SEAM commands, SEAM daemons, PAM framework, GSS interface, the NFS service, and the Kerberos library.
No credentials cache file found
Cause: Kerberos could not find the credentials cache (/tmp/krb5cc_uid).
Solution: Make sure that the credential file exists and is readable. If it isn't, try performing the kinit again.
Operation requires "privilege" privilege
Cause: The admin principal that was being used does not have the appropriate privilege configured in the kadm5.acl file.
Solution: Use a principal that has the appropriate privileges. Or, configure the principal that was being used to have the appropriate privileges by modifying the kadm5.acl file. Usually, a principal with "/admin" as part of its name has the appropriate privileges.
PAM-KRB5: Kerberos V5 authentication failed: password incorrect
Cause: Your UNIX password and Kerberos passwords are different. Most non-Kerberized commands, such as login, are set up through PAM to automatically authenticate with Kerberos by using the same password that you specified for your UNIX password. If your passwords are different, the Kerberos authentication fails.
Solution: You must enter your Kerberos password when prompted.
Password is in the password dictionary
Cause: The password that you entered is in a password dictionary that is being used. Your password is not a good choice for a password.
Solution: Choose a password that has a mix of password classes.
Permission denied in replay cache code
Cause: The system's replay cache could not be opened. The server might have been first run under a user ID different than your current user ID.
Solution: Make sure that the replay cache has the appropriate permissions. The replay cache is stored on the host where the Kerberized server application is running (/usr/tmp/rc_service_name). Instead of changing the permissions on the current replay cache, you can also remove the replay cache before you run the Kerberized server under a different user ID.
Protocol version mismatch
Cause: Most likely, a Kerberos V4 request was sent to the KDC. SEAM supports only the Kerberos V5 protocol.
Solution: Make sure that your applications are using the Kerberos V5 protocol.
Request is a replay
Cause: The request has already been sent to this server and processed. The tickets might have been stolen, and someone else is trying to reuse the tickets.
Solution: Wait for a few minutes and reissue the request.
Requested principal and ticket don't match
Cause: The service principal that you are connecting to and the service ticket that you have do not match.
Solution: Make sure that DNS is functioning properly. If you are using another vendor's software, make sure that the software is using principal names correctly.
Requested protocol version not supported
Cause: Most likely, a Kerberos V4 request was sent to the KDC. SEAM supports only the Kerberos V5 protocol.
Solution: Make sure that your applications are using the Kerberos V5 protocol.
Required parameters in krb5.conf missing while initializing kadmin interface
Cause: There is a missing parameter (such as the admin_server parameter) in the krb5.conf file.
Solution: Determine which parameter is missing and add it to the krb5.conf file.
Server rejected authentication (during sendauth exchange)
Cause: The server that you are trying to communicate with rejected the authentication. Most often this error occurs during Kerberos database propagation. Some common causes might be problems with the kpropd.acl file, DNS, or the keytab file.
Solution: If you get this error when you are running applications other than kprop, investigate whether the server's keytab file is correct.
Set gss service nfs@<host> failed. Check nfs service credential.
Cause: This message is generated by syslog after a share command has failed with an "invalid argument" message. The most likely cause of this message is that either there is no keytab file or that there is no NFS service principle in the keytab file.
Solution: To isolate the problem, run klist -k to see if the keytab file exists and if there is an NFS service principal for the host in the keytab file.
The ticket isn't for us
Ticket/authenticator don't match
Cause: There was a mismatch between the ticket and authenticator. The principal name in the request might not have matched the service principal's name, because the ticket was being sent with an FQDN name of the principal while the service expected non-FQDN, or vice versa.
Solution: If you get this error when you are running applications other than kprop, investigate whether the server's keytab file is correct.
Ticket expired
Cause: Your ticket times have expired.
Solution: Destroy your tickets with kdestroy and create new tickets with kinit.
Ticket is ineligible for postdating
Cause: The principal does not allow its tickets to be postdated.
Solution: Modify the principal with kadmin to allow postdating.
Ticket not yet valid
Cause: The postdated ticket is not valid yet.
Solution: Create new tickets with the correct date, or wait until the current tickets are valid.
Truncated input file detected
Cause: The database dump file that was being used in the operation is not a complete dump file.
Solution: Create the dump file again, or use a different database dump file.
Wrong principal in request
Cause: There was an invalid principal name in the ticket. This error might indicate a DNS or FQDN problem.
Solution: Make sure that the principal of the service matches the principal in the ticket.
SEAM Troubleshooting
This section provides troubleshooting information for the SEAM software.
Problems Mounting a Kerberized NFS File System
If mounting a Kerberized NFS file system fails, make sure that the /var/tmp/rc_nfs file exists on the NFS server. If the file system is not owned by root, remove it and try the mount again.
If you have a problem accessing a Kerberized NFS file system, make sure that there is an entry for gssd in the inetd.conf file on your system and the NFS server.
If you see either the invalid argument or bad directory error message when you are trying to access a Kerberized NFS file system, the problem might be that you are not using a fully-qualified DNS name when you are trying to mount the NFS file system. The host that is being mounted is not the same as the host name part of the service principal in the server's keytab file.
This problem might also occur if your server has multiple Ethernet interfaces, and you have set up DNS to use a "name per interface" scheme instead of a "multiple address records per host" scheme. For SEAM, you should set up multiple address records per host as follows [Ken Hornstein, "Kerberos FAQ," [http://www.nrl.navy.mil/CCS/people./kenh/kerberos-faq.html], accessed 11 December 1998.]:
my.host.name. A 1.2.3.4 A 1.2.4.4 A 1.2.5.4 my-en0.host.name. A 1.2.3.4 my-en1.host.name. A 1.2.4.4 my-en2.host.name. A 1.2.5.4 4.3.2.1 PTR my.host.name. 4.4.2.1 PTR my.host.name. 4.5.2.1 PTR my.host.name.
In this example, the setup allows one reference to the different interfaces and allows a single service principal instead of three service principals in the server's keytab file.
Problems Authenticating as root
If authentication fails when you try to become superuser on your system and you have already added the root principal to your host's keytab file, there are two potential problems to check. First, make sure that the root principal in the keytab file has a fully-qualified name as its instance. If it does, check the /etc/resolv.conf file to make sure that the system is correctly set up as a DNS client.