Skip Navigation Links | |
Exit Print View | |
Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Verifying File Integrity by Using BART (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Security Attributes in Oracle Solaris (Reference)
Part IV Cryptographic Services
11. Cryptographic Framework (Overview)
12. Cryptographic Framework (Tasks)
Part V Authentication Services and Secure Communication
14. Using Pluggable Authentication Modules
17. Using Simple Authentication and Security Layer
18. Network Services Authentication (Tasks)
19. Introduction to the Kerberos Service
20. Planning for the Kerberos Service
21. Configuring the Kerberos Service (Tasks)
22. Kerberos Error Messages and Troubleshooting
How to Identify Problems With Key Version Numbers
Problems With the Format of the krb5.conf File
Problems Propagating the Kerberos Database
Problems Mounting a Kerberized NFS File System
Problems Authenticating as the root User
Observing Mapping From GSS Credentials to UNIX Credentials
Using DTrace With the Kerberos Service
23. Administering Kerberos Principals and Policies (Tasks)
24. Using Kerberos Applications (Tasks)
25. The Kerberos Service (Reference)
This section provides information about Kerberos error messages, including why each error occurs and a way to fix it.
Unable to view the list of principals or policies; use the Name field.
Cause: The admin principal that you logged in with does not have the list privilege (l) in the Kerberos ACL file (kadm5.acl). So, you cannot view the principal list or policy list.
Solution: You must type the principal and policy names in the Name field to work on them, or you need to log in with a principal that has the appropriate privileges.
JNI: Java array creation failed
JNI: Java class lookup failed
JNI: Java field lookup failed
JNI: Java method lookup failed
JNI: Java object lookup failed
JNI: Java object field lookup failed
JNI: Java string access failed
JNI: Java string creation failed
Cause: A serious problem exists with the Java Native Interface that is used by the SEAM Tool (gkadmin).
Solution: Exit gkadmin and restart it. If the problem persists, please report a bug.
This section provides an alphabetical list (A-M) of common error messages for the Kerberos commands, Kerberos daemons, PAM framework, GSS interface, the NFS service, and the Kerberos library.
All authentication systems disabled; connection refused
Cause: This version of rlogind does not support any authentication mechanism.
Solution: Make sure that rlogind is invoked with the -k option.
Another authentication mechanism must be used to access this host
Cause: Authentication could not be done.
Solution: Make sure that the client is using Kerberos V5 mechanism for authentication.
Authentication negotiation has failed, which is required for encryption. Good bye.
Cause: Authentication could not be negotiated with the server.
Solution: Start authentication debugging by invoking the telnet command with the toggle authdebug command and look at the debug messages for further clues. Also, make sure that you have valid credentials.
Bad krb5 admin server hostname while initializing kadmin interface
Cause: An invalid host name is configured for admin_server in the krb5.conf file.
Solution: Make sure that the correct host name for the master KDC is specified on the admin_server line in the krb5.conf file.
Bad lifetime value
Cause: The lifetime value provided is not valid or incorrectly formatted.
Solution: Make sure that the value provided is consistent with the Time Formats section in the kinit(1) man page.
Bad start time value
Cause: The start time value provided is not valid or incorrectly formatted.
Solution: Make sure that the value provided is consistent with the Time Formats section in the kinit(1) man page.
Cannot contact any KDC for requested realm
Cause: No KDC responded in the requested realm.
Solution: Make sure that at least one KDC (either the master or a slave) is reachable or that the krb5kdc daemon is running on the KDCs. Check the /etc/krb5/krb5.conf file for the list of configured KDCs (kdc = kdc-name).
Cannot determine realm for host: host is 'hostname'
Cause: Kerberos cannot determine the realm name for the host.
Solution: Make sure that there is a default realm name, or that the domain name mappings are set up in the Kerberos configuration file (krb5.conf).
Cannot find a kadmin KDC entry in krb5.conf(4) or DNS Service Location records for realm 'realmname'
Cannot find a kpassword KDC entry in krb5.conf(4) or DNS Service Location records for realm 'realmname'
Cannot find a master KDC entry in krb5.conf(4) or DNS Service Location records for realm 'realmname'
Cannot find any KDC entries in krb5.conf(4) or DNS Service Location records for realm 'realmname'
Cause: Either the krb5.conf file or the DNS server record are incorrectly configured.
Solution: Make sure that the Kerberos configuration file (/etc/krb5/krb5.conf) or that the DNS server records for the KDC are configured properly.
Cannot find address for 'hostname': 'error-string'
Cause: No address was found in the DNS records for the given hostname.
Solution: Fix the host record in DNS or correct the error in the DNS lookup process.
Cannot find KDC for requested realm
Cause: No KDC was found in the requested realm.
Solution: Make sure that the Kerberos configuration file (krb5.conf) specifies a KDC in the realm section.
cannot initialize realm realm-name
Cause: The KDC might not have a stash file.
Solution: Make sure that the KDC has a stash file. If not, create a stash file by using the kdb5_util command, and try restarting the krb5kdc command.
Cannot resolve KDC for requested realm
Cause: Kerberos cannot determine any KDC for the realm.
Solution: Make sure that the Kerberos configuration file (krb5.conf) specifies a KDC in the realm section.
Cannot resolve network address for KDCs 'hostname' discovered via DNS Service Location records for realm 'realm-name'
Cannot resolve network address for KDCs 'hostname' specified in krb5.conf(4) for realm 'realm-name'
Cause: Either the krb5.conf file or the DNS server record is incorrectly configured.
Solution: Make sure that the Kerberos configuration file (/etc/krb5/krb5.conf) and the DNS server records for the KDC are configured properly.
Cannot reuse password
Cause: The password that you specified has been used before by this principal.
Solution: Choose a password that has not been chosen before, at least not within the number of passwords that are kept in the KDC database for each principal. This policy is enforced by the principal's policy.
Can't get forwarded credentials
Cause: Credential forwarding could not be established.
Solution: Make sure that the principal has forwardable credentials.
Can't open/find Kerberos configuration file
Cause: The Kerberos configuration file (krb5.conf) was unavailable.
Solution: Make sure that the krb5.conf file is available in the correct location and has the correct permissions. This file should be writable by root and readable by everyone else.
Client 'principal' not found in Kerberos database
Cause: The principal is missing from the Kerberos database.
Solution: Add the client principal to the Kerberos database.
Client 'principal' pre-authentication failed
Cause: Authentication failed for the principal.
Solution: Make sure that the user is using the correct password.
Client did not supply required checksum--connection rejected
Cause: Authentication with checksum was not negotiated with the client. The client might be using an old Kerberos V5 protocol that does not support initial connection support.
Solution: Make sure that the client is using a Kerberos V5 protocol that supports initial connection support.
Client/server realm mismatch in initial ticket request: 'client-principal' requesting ticket 'service-principal'
Cause: A realm mismatch between the client and server occurred in the initial ticket request.
Solution: Make sure that the server you are communicating with is in the same realm as the client, or that the realm configurations are correct.
Client or server has a null key
Cause: The principal has a null key.
Solution: Modify the principal to have a non-null key by using the cpw command of kadmin.
Clock skew too great: 'client' requesting ticket 'service-principal' from KDC 'KDC-hostname' (KDC-time). Skew is value
Clock skew too great: 'client' AP request with ticket for 'service-principal'. Skew is value (allowable value)
Cause: The difference between the time reported on the client and the KDC server or application server is too large.
Solution: Configure the Network Time Protocol (NTP) to keep the clocks synchronized. See Synchronizing Clocks Between KDCs and Kerberos Clients for more information.
Communication failure with server while initializing kadmin interface
Cause: The host that was specified for the admin server, also called the master KDC, did not have the kadmind daemon running.
Solution: Make sure that you specified the correct host name for the master KDC. If you specified the correct host name, make sure that kadmind is running on the master KDC that you specified.
Credentials cache file permissions incorrect
Cause: You do not have the appropriate read or write permissions on the credentials cache (/tmp/krb5cc_uid).
Solution: Make sure that you have read and write permissions on the credentials cache.
Credentials cache I/O operation failed XXX
Cause: Kerberos had a problem writing to the system's credentials cache (/tmp/krb5cc_uid).
Solution: Make sure that the credentials cache has not been removed, and that there is space left on the device by using the df command.
Decrypt integrity check failed
Cause: You might have an invalid ticket.
Solution: Verify both of these conditions:
Make sure that your credentials are valid. Destroy your tickets with kdestroy, and create new tickets with kinit.
Make sure that the target host has a keytab file with the correct version of the service key. Use kadmin to view the key version number of the service principal (for example, host/FQDN-hostname) in the Kerberos database. Also, use klist -k on the target host to make sure that it has the same key version number.
Decrypt integrity check failed for client 'principal' and server 'hostname'
Cause: You might have an invalid ticket.
Solution: Make sure that your credentials are valid. Destroy your tickets with the kdestroy command, and create new tickets with the kinit command.
Encryption could not be enabled. Goodbye.
Cause: Encryption could not be negotiated with the server.
Solution: Start authentication debugging by invoking the telnet command with the toggle encdebug command and look at the debug messages for further clues.
Failed to find realm for principal in keytab
Cause: The realm name included in the principal does not match the realm name in the principal stored in the keytab file.
Solution: Make sure that the principals are using the correct realm.
failed to obtain credentials cache
Cause: During kadmin initialization, a failure occurred when kadmin tried to obtain credentials for the admin principal.
Solution: Make sure that you used the correct principal and password when you executed kadmin.
Field is too long for this implementation
Cause: The message size that was being sent by a Kerberized application was too long. This error could be generated if the transport protocol is UDP. which has a default maximum message size 65535 bytes. In addition, there are limits on individual fields within a protocol message that is sent by the Kerberos service.
Solution: Verify that you have not restricted the transport to UDP in the KDC server's /etc/krb5/kdc.conf file.
GSS-API (or Kerberos) error
Cause: This message is a generic GSS-API or Kerberos error message and can be caused by several different problems.
Solution: Check the /var/krb5/kdc.log file to find the more specific error message that was logged when this error occurred.
Hostname cannot be canonicalized for 'hostname': 'error-string'
Cause: The Kerberos client cannot find the fully qualified host name for the server.
Solution: Make sure that the server host name is defined in DNS and that the hostname-to-address and address-to-hostname mappings are consistent.
Illegal cross-realm ticket
Cause: The ticket sent did not have the correct cross-realms. The realms might not have the correct trust relationships set up.
Solution: Make sure that the realms you are using have the correct trust relationships.
Improper format of Kerberos configuration file
Cause: The Kerberos configuration file has invalid entries.
Solution: Make sure that all the relations in the krb5.conf file are followed by the “=” sign and a value. Also, verify that the brackets are present in pairs for each subsection.
Inappropriate type of checksum in message
Cause: The message contained an invalid checksum type.
Solution: Check which valid checksum types are specified in the krb5.conf and kdc.conf files.
Incorrect net address
Cause: There was a mismatch in the network address. The network address in the ticket that was being forwarded was different from the network address where the ticket was processed. This message might occur when tickets are being forwarded.
Solution: Make sure that the network addresses are correct. Destroy your tickets with kdestroy, and create new tickets with kinit.
Invalid credential was supplied
Service key not available
Cause: The service ticket in the credentials cache may be incorrect.
Solution: Destroy current credential cache and rerun kinit before trying to use this service.
Invalid flag for file lock mode
Cause: An internal Kerberos error occurred.
Solution: Please report a bug.
Invalid message type specified for encoding
Cause: Kerberos could not recognize the message type that was sent by the Kerberized application.
Solution: If you are using a Kerberized application that was developed by your site or a vendor, make sure that it is using Kerberos correctly.
Invalid number of character classes
Cause: The password that you specified for the principal does not contain enough password classes, as enforced by the principal's policy.
Solution: Make sure that you specify a password with the minimum number of password classes that the policy requires.
KADM err: Memory allocation failure
Cause: There is insufficient memory to run kadmin.
Solution: Free up memory and try running kadmin again.
kadmin: Bad encryption type while changing host/FQDN's key
Cause: More default encryption types are included in the base release in newer releases. Clients can request encryption types that might not be supported by a KDC running an older version of the software.
Solution: Several solutions exist to fix this problem. The easiest one to implement is listed first:
Add the SUNWcry and SUNWcryr packages to the KDC server. This increases the number of encryption types supported by the KDC.
Set permitted_enctypes in krb5.conf on the client to not include the aes256 encryption type. This step will need to be done on each new client.
KDC can't fulfill requested option
Cause: The KDC did not allow the requested option. A possible problem might be that postdating or forwardable options were being requested, and the KDC did not allow them. Another problem might be that you requested the renewal of a TGT, but you didn't have a renewable TGT.
Solution: Determine if you are either requesting an option that the KDC does not allow or a type of ticket that is not available.
KDC policy rejects request
Cause: The KDC policy did not allow the request. For example, the request to the KDC did not have an IP address in its request. Or forwarding was requested, but the KDC did not allow it.
Solution: Make sure that you are using kinit with the correct options. If necessary, modify the policy that is associated with the principal or change the principal's attributes to allow the request. You can modify the policy or principal by using kadmin.
KDC reply did not match expectation: KDC not found. Probably got an unexpected realm referral
Cause: The KDC reply did not contain the expected principal name, or other values in the response were incorrect.
Solution: Make sure that the KDC you are communicating with complies with RFC4120, that the request you are sending is a Kerberos V5 request, and that the KDC is available.
kdestroy: Could not obtain principal name from cache
Cause: The credentials cache is missing or corrupted.
Solution: Check that the cache location provided is correct. Remove and obtain a new TGT by using kinit, if necessary.
kdestroy: No credentials cache file found while destroying cache
Cause: The credentials cache (/tmp/krb5c_uid) is missing or corrupted.
Solution: Check that the cache location provided is correct. Remove and obtain a new TGT using kinit, if necessary.
kdestroy: TGT expire warning NOT deleted
Cause: The credentials cache is missing or corrupted.
Solution: Check that the cache location provided is correct. Remove and obtain a new TGT using kinit, if necessary.
Kerberos authentication failed
Cause: The Kerberos password is either incorrect or the password might not be synchronized with the UNIX password.
Solution: If the password are not synchronized, then you must specify a different password to complete Kerberos authentication. It is possible that the user has forgotten their original password.
Kerberos V5 refuses authentication
Cause: Authentication could not be negotiated with the server.
Solution: Start authentication debugging by invoking the telnet command with the toggle authdebug command and look at the debug messages for further clues. Also, make sure that you have valid credentials.
Key table entry not found
Cause: No entry exists for the service principal in the network application server's keytab file.
Solution: Add the appropriate service principal to the server's keytab file so that it can provide the Kerberized service.
Key table file 'filename' not found
Cause: The named key table file does not exist.
Solution: Create the key table file.
Key version number is not available for principal principal
Cause: The key version of the keys does not match the version for the keys on the application server.
Solution: Check the version of the keys on the application server using the klist -k command.
Key version number for principal in key table is incorrect
Cause: A principal's key version in the keytab file is different from the version in the Kerberos database. Either a service's key has been changed, or you might be using an old service ticket.
Solution: If a service's key has been changed (for example, by using kadmin), you need to extract the new key and store it in the host's keytab file where the service is running.
Alternately, you might be using an old service ticket that has an older key. You might want to run the kdestroy command and then the kinit command again.
kinit: gethostname failed
Cause: An error in the local network configuration is causing kinit to fail.
Solution: Make sure that the host is configured correctly.
login: load_modules: can not open module /usr/lib/security/pam_krb5.so.1
Cause: Either the Kerberos PAM module is missing or it is not a valid executable binary.
Solution: Make sure that the Kerberos PAM module is in the /usr/lib/security directory and that it is a valid executable binary. Also, make sure that the /etc/pam.conf file contains the correct path to pam_krb5.so.1.
Looping detected getting initial creds: 'client-principal' requesting ticket 'service-principal'. Max loops is value. Make sure a KDC is available.
Cause: Kerberos made several attempts to get the initial tickets but failed.
Solution: Make sure that at least one KDC is responding to authentication requests.
Master key does not match database
Cause: The loaded database dump was not created from a database that contains the master key. The master key is located in /var/krb5/.k5.REALM.
Solution: Make sure that the master key in the loaded database dump matches the master key that is located in /var/krb5/.k5.REALM.
Matching credential not found
Cause: The matching credential for your request was not found. Your request requires credentials that are unavailable in the credentials cache.
Solution: Destroy your tickets with kdestroy, and create new tickets with kinit.
Message out of order
Cause: Messages that were sent using sequential-order privacy arrived out of order. Some messages might have been lost in transit.
Solution: You should reinitialize the Kerberos session.
Message stream modified
Cause: There was a mismatch between the computed checksum and the message checksum. The message might have been modified while in transit, which can indicate a security leak.
Solution: Make sure that the messages are being sent across the network correctly. Because this message can also indicate the possible tampering of messages while they are being sent, destroy your tickets using kdestroy and reinitialize the Kerberos services that you are using.
This section provides an alphabetical list (N-Z) of common error messages for the Kerberos commands, Kerberos daemons, PAM framework, GSS interface, the NFS service, and the Kerberos library.
No credentials cache file found
Cause: Kerberos could not find the credentials cache (/tmp/krb5cc_uid).
Solution: Make sure that the credential file exists and is readable. If it isn't, try performing kinit again.
No credentials were supplied, or the credentials were unavailable or inaccessible
No credential cache found
Cause: The user's credential cache is incorrect or does not exist.
Solution: The user should run kinit before trying to start the service.
No credentials were supplied, or the credentials were unavailable or inaccessible
No principal in keytab ('filename') matches desired name principal
Cause: An error occurred during an attempt to authenticate the server.
Solution: Make sure that the host or service principal is in the server's keytab file.
Operation requires “privilege” privilege
Cause: The admin principal that was being used does not have the appropriate privilege configured in the kadm5.acl file.
Solution: Use a principal that has the appropriate privileges. Or, configure the principal that was being used to have the appropriate privileges by modifying the kadm5.acl file. Usually, a principal with /admin as part of its name has the appropriate privileges.
PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
Cause: The remote application tried to read the host's service principal in the local /etc/krb5/krb5.keytab file, but one does not exist.
Solution: Add the host's service principal to the host's keytab file.
Password is in the password dictionary
Cause: The password that you specified is in a password dictionary that is being used. Your password is not a good choice for a password.
Solution: Choose a password that has a mix of password classes.
Permission denied in replay cache code
Cause: The system's replay cache could not be opened. Your server might have been first run under a user ID different than your current user ID.
Solution: Make sure that the replay cache has the appropriate permissions. The replay cache is stored on the host where the Kerberized server application is running. The replay cache file is called /var/krb5/rcache/rc_service_name_uid for non-root users. For root users the replay cache file is called /var/krb5/rcache/root/rc_service_name.
Protocol version mismatch
Cause: Most likely, a Kerberos V4 request was sent to the KDC. The Kerberos service supports only the Kerberos V5 protocol.
Solution: Make sure that your applications are using the Kerberos V5 protocol.
Request is a replay
Cause: The request has already been sent to this server and processed. The tickets might have been stolen, and someone else is trying to reuse the tickets.
Solution: Wait for a few minutes, and reissue the request.
Requested principal and ticket don't match: Requested principal is 'service-principal' and TGT principal is 'TGT-principal'
Cause: The service principal that you are connecting to and the service ticket that you have do not match.
Solution: Make sure that DNS is functioning properly. If you are using another vendor's software, make sure that the software is using principal names correctly.
Requested protocol version not supported
Cause: Most likely, a Kerberos V4 request was sent to the KDC. The Kerberos service supports only the Kerberos V5 protocol.
Solution: Make sure that your applications are using the Kerberos V5 protocol.
Service key service-principal not available
Cause: The named service principal is not in the keytab file on the application server.
Solution: Make sure that the service principal matches or is included in the keytab file on the application server.
Server refused to negotiate authentication, which is required for encryption. Good bye.
Cause: The remote application is not capable or has been configured not to accept Kerberos authentication from the client.
Solution: Provide a remote application that can negotiate authentication or configure the application to use the appropriate flags to turn on authentication.
Server refused to negotiate encryption. Good bye.
Cause: Encryption could not be negotiated with the server.
Solution: Start authentication debugging by invoking the telnet command with the toggle encdebug command and look at the debug messages for further clues.
Server rejected authentication (during sendauth exchange)
Cause: The server that you are trying to communicate with rejected the authentication. Most often, this error occurs during Kerberos database propagation. Some common causes might be problems with the kpropd.acl file, DNS, or the keytab file.
Solution: If you get this error when you are running applications other than kprop, investigate whether the server's keytab file is correct.
Server service-principal not found in Kerberos database
Cause: The service principal is not correct or is missing from the principal database.
Solution: Make sure that the service principal is correct and that it is in the database.
Target name principal 'principal' does not match service-principal
Cause: The service principal that is being used does not match the service principal that the application server is using.
Solution: On the application server, make sure that the service principal is included in the keytab file. For the client, make sure that the correct service principal is being used.
The ticket isn't for us
Ticket/authenticator don't match
Cause: There was a mismatch between the ticket and the authenticator. The principal name in the request might not have matched the service principal's name. Either because the ticket was being sent with an FQDN name of the principal while the service expected a non-FQDN name, or a non-FQDN name was sent when the service expected an FQDN name.
Solution: If you get this error when you are running applications other than kprop, investigate whether the server's keytab file is correct.
Ticket expired
Cause: Your ticket times have expired.
Solution: Destroy your tickets with kdestroy, and create new tickets with kinit.
Ticket is ineligible for postdating
Cause: The principal does not allow its tickets to be postdated.
Solution: Modify the principal with kadmin to allow postdating.
Ticket not yet valid: 'client-principal' requesting ticket 'service-principal' from 'kdc-hostname' (time). TGT start time is time.
Cause: The postdated ticket is not yet valid.
Solution: Create a new ticket with the correct date, or wait until the current ticket is valid.
Truncated input file detected
Cause: The database dump file that was being used in the operation is not a complete dump file.
Solution: Create the dump file again, or use a different database dump file.
Unable to securely authenticate user ... exit
Cause: Authentication could not be negotiated with the server.
Solution: Start authentication debugging by invoking the telnet command with the toggle authdebug command and look at the debug messages for further clues. Also, make sure that you have valid credentials.
Unknown encryption type: name
Cause: The encryption type that is included with the credential cannot be used.
Solution: Determine which encryption types the client is using with the klist -e command. Make sure that the application server supports at least one of the encryption types.
Wrong principal in request
Cause: There was an invalid principal name in the ticket. This error might indicate a DNS or FQDN problem.
Solution: Make sure that the principal of the service matches the principal in the ticket.