| 2503-000 | Could not read master key. |
Explanation: The command attempted to read the Kerberos master key, but was unsuccessful. Some commands prompt you to enter the master key manually. Others attempt to read the cached master key from the /.k file.
User Response: If you were prompted for the key, retry the command. If problem still occurs, follow local error reporting procedures. If the command could not get the key from the /.k file, create that file again by issuing the kstash command.
| 2503-001 | Could not get local realm. |
Explanation: The local realm name is required. It could not be read from the /etc/krb.conf file.
User Response: Check the krb.conf file for the local realm name in the first line. Fix the file using an editor or use remote copy or ftp to obtain a copy of the correct file from another host in your SP system.
| 2503-002 | bind() error error_text |
Explanation: The bind system call was not successful, attempting to bind the socket. Kerberos daemon command failed to initialize because it could not bind its socket to the port for the required service: for the kerberos daemon, the "kerberos4" service using udp; for kadmind, the "kerberos_master" service using tcp; or for kpropd, the "krb_prop" service using tcp. If these are not defined in the /etc/services file, Kerberos uses ports 750, 751, and 754 respectively.
User Response: If you have other applications that use these default Kerberos 4 port numbers, select other unused port numbers between 0 and 1023, and add appropriate entries to the /etc/services file.
| 2503-003 | fork() error: error_text |
Explanation: The Kerberos daemon command was unable to fork a child process. It may have had a problem initializing or may be unable to process a client request, once initialized.
User Response: The system probably has too many processes running, perhaps due to a spawning loop. Use the ps command to identify the runaway process and kill it. Then kill the Kerberos daemon process to allow init to spawn it again.
| 2503-004 | accept() error: error_text |
Explanation: The kadmind or kpropd daemon was unsuccessful initializing because the TCP/IP accept function had a problem. The error is explained further by the error text in the message.
User Response: Take appropriate corrective action based on the particular error reported in the message. If the daemon cannot be started, contact the IBM Support Center.
| 2503-005 | malloc() No memory. |
Explanation: The command could not complete because the system could not allocate the necessary memory. Because small memory amounts are involved, there may be a memory leak that has critically affected system operation.
User Response: Contact the IBM Support Center.
| 2503-006 | Incorrect flag: flag |
Explanation: You issued the kdb_edit or kprop command using an option flag which was not valid.
User Response: Reissue the command using the proper syntax. If you have correctly followed the required syntax, contact the IBM Support Center.
| 2503-007 | Could not open database: error_text |
Explanation: The kerberos or kadmind daemon could not open the authentication database files. The particular error condition is further explained in the message text.
User Response: Take appropriate recovery action based on the particular error, killing the unsuccessful daemon if necessary and restarting. If the database is damaged or has been deleted, you will have to recreate it using the setup_authent command. If you are unable to recover, contact the IBM Support Center.
| 2503-008 | open() error: error_text |
Explanation: The command was unsuccessful because it must read or write this file, and it could not be opened. The message text includes more information about the particular problem encountered.
User Response: Take appropriate recovery action based on the particular error, then retry the command or kill and restart the daemon. If you are unable to recover, contact the IBM Support Center.
| 2503-009 | Error on file file name error_text |
Explanation: The command could not access a file due the reason indicated in the message text.
User Response: Take appropriate recovery action based on the particular error, then retry the command. If you are unable to recover, contact the IBM Support Center.
| 2503-010 | gethostname() error: error_text |
Explanation: The kerberos daemon, the kpropd daemon, or the kprop command was unable to obtain from the AIX system the local hostname.
User Response: Retry the command. If you are unable to recover, contact the IBM Support Center.
| 2503-011 | getsockname() error_text |
Explanation: The kprop command or the kpropd daemon could not obtain from TCP/IP the tuple describing its socket connection to use in performing mutual authentication.
User Response: Retry the command. If you are unable to recover, contact the IBM Support Center.
| 2503-012 | getsockname() returned wrong length data. |
Explanation: The kprop command or the kpropd daemon obtained from TCP/IP socket information that had an incorrect length.
User Response: Retry the command. If you are unable to recover, contact the IBM Support Center.
| 2503-013 | fcntl() lock error: file name error_text |
Explanation: The kprop command or the kpropd daemon could not lock the authentication database. Additional details are displayed in the message text.
User Response: Retry the command. If you are unable to recover, contact the IBM Support Center.
| 2503-014 | fcntl() unlock error: file name error_text |
Explanation: The kprop command or the kpropd daemon could not unlock the authentication database. Additional details are displayed in the message text.
User Response: Retry the command. If you are unable to recover, contact the IBM Support Center.
| 2503-015 | write() error: file name error_text |
Explanation: The file could not be written, and further information is included in the text. If the command is kpropd, the file is the local copy of the encrypted database data received from the primary server. For ext_srvtab, the file is the name-new-srvtab file. For kstash, it is the /.k master key cache file.
User Response: Take appropriate action based on the error condition reported. If unable to recover, contact the IBM Support Center.
| 2503-016 | socket() error: error_text |
Explanation: The kprop command or one of the Kerberos daemons was unable to establish a socket interface. The particular error condition is noted in the text.
User Response: Take appropriate action based on the error condition reported. If unable to recover, contact the IBM Support Center.
| 2503-017 | stat() error: file name error_text |
Explanation: The command was unsuccessful, because it could not obtain information about a required file. The particular error condition is noted in the text.
User Response: Take appropriate action based on the error condition reported. If unable to recover, contact the IBM Support Center.
| 2503-018 | Option command-line is not valid. |
Explanation: The command was not successful, because the user entered an option that is not one of those that is valid for the command.
User Response: Enter the command with correct options, as shown in the usage message.
| 2503-019 | This system has no Kerberos V4 authentication database. |
Explanation: The command was not successful because this system is not an authentication server.
User Response: To perform the requested task, issue the command on a system that is an authentication server; locally as root, or through Sysctl.
| 2503-020 | You did not specify a principal name. |
Explanation: You must specify a principal that you want to change or remove.
User Response: Reenter your request, specifying the required argument.
| 2503-021 | You specified conflicting options or arguments. |
Explanation: You specified a combination of command-line options or options and arguments that conflict.
User Response: See the Usage statement. Enter the command again using the correct syntax.
| 2503-022 | You specified an expiration date that is not valid. |
Explanation: The command was not successful because you specified an expiration date that was in the wrong format or out of valid range.
User Response: Enter your command with the expiration date in the correct format.
| 2503-023 | You specified a maximum ticket lifetime that is not valid. |
Explanation: The command was not successful because you specified a maximum ticket lifetime that was not a decimal number between 0 and 255.
User Response: Enter your command with the maximum ticket lifetime within range.
| 2503-024 | Option command-option requires an argument. |
Explanation: You specified an option without the argument it requires following it.
User Response: See the Usage statement. Enter the command using the correct syntax.
| 2503-025 | klb-command did not succeed. |
Explanation: The command was not successful due to an error in the kdb_edit or kdb_util command. See the preceding message for additional information about the error condition.
User Response: Refer to information on the preceding error message.
| 2503-026 | Unable to update database for principal principal. |
Explanation: The requested Kerberos database update may be partially completed. Principals are processed in the order entered on the command line. Names preceding the one displayed were changed or added successfully.
User Response: Refer to information on preceding error messages. When the problem has been corrected, retry the unsuccessful command for principals not yet processed.
| 2503-027 | Incorrect flag: flag |
Explanation: You issued the kdb_edit command using an incorrect option flag.
User Response: Reissue the command using the proper syntax. If you have correctly followed the required syntax, contact the IBM Support Center.
| 2503-050 | Incorrect instance name: instance_name. |
Explanation: An instance name specified on the command line is syntactically incorrect. Instance names must be less than 40 characters and may not contain a '.' or '@' character.
User Response: If you entered the command from the command line, retry specifying a correct instance name. If the command was invoked by another PSSP administration command, follow local reporting procedures.
| 2503-051 | Too many principals found for instance_name. |
Explanation: The command found more than 40 principals defined in the authentication database with a single instance specified on the command line. The command is continuing to create a srvtab file containing the first 40 entries only.
User Response: Check that the instance names specified on the command are correct. If necessary, use the kdb_util dump command to inspect the database. Try the command again if an incorrect instance was used. If unsuccessful, or if the database appears to be incorrect, contact the IBM Support Center.
| 2503-100 | Error reading data: error_text. |
Explanation: The kadmind daemon encountered an error reading a request on the socket from a client program. The text indicates the nature of the problem.
User Response: Take appropriate action based on the error condition reported. If unable to recover, contact the IBM Support Center.
| 2503-101 | : error error_text |
Explanation: An error occurred setting up the network interface or receiving an incoming request. The text explains the error condition.
User Response: Take appropriate action based on the error condition reported. If unable to recover, contact the IBM Support Center.
| 2503-102 | select() : error_text |
Explanation: The select system call invoked by the kadmind daemon was not successful. The type of error is indicated by the error text.
User Response: Take appropriate action based on the error condition reported. If unable to recover, contact the IBM Support Center.
| 2503-103 | setsockopt() keepalive : errno=errno. |
Explanation: The kadmind daemon was not successful while attempting to set up its network interface as indicated by the error message.
User Response: Check for networking problems. If problem persists, contact the IBM Support Center.
| 2503-104 | No service service_name instance |
Explanation: The kadmind daemon found that a required service was not defined in the authentication database. The required service was predefined when the authentication database was created. The database is corrupted, or the entry was inadvertently deleted instead of another.
User Response: If you have a backup of the database created with kdb_util dump, use that backup to rebuild it. Otherwise, recreate your authentication environment by running setup_authent.
| 2503-105 | Short read: expected_length vs length_read. |
Explanation: The request from the client read on the socket was the wrong length.
User Response: Check for networking problems. If problem persists, contact the IBM Support Center.
| 2503-106 | Error processing request: error_text. |
Explanation: The client request was passed to a processing routine which was not able to complete it successfully. The error text explains the error further.
User Response: Take appropriate action based on the error condition reported. If unable to recover, contact the IBM Support Center.
| 2503-107 | Error writing data length: error_text. |
Explanation: A socket write was not successful, sending the output data length to the client. The error text provides additional information about the error.
User Response: Check for networking problems. If problem persists, contact the IBM Support Center.
| 2503-108 | Error writing data: error_text. |
Explanation: A socket write was not successful, sending the output data to the client. The error text provides additional information about the error.
User Response: Check for networking problems. If problem persists, contact the IBM Support Center.
| 2503-109 | Child pid termsig signal_number coredump dump retcode _code. |
Explanation: A child process terminated while processing a client request. The reason for the termination is indicated by the message.
User Response: Follow local reporting procedures.
| 2503-110 | Child pid not in list: termsig signal_number coredump dump retcode _code. |
Explanation: A program error occurred handling termination of a child process.
User Response: Follow local reporting procedures.
| 2503-111 | Error reading data length: error_text. |
Explanation: A socket read was not successful, reading the input data length from the client.
User Response: Check for networking problems. If problem persists, contact the IBM Support Center.
| 2503-112 | Read truncated data length: length. |
Explanation: A socket read was not successful, reading the input data from the client.
User Response: Check for networking problems. If problem persists, contact the IBM Support Center.
| 2503-150 | Pre-defined principals may not be removed. |
Explanation: You attempted to remove one of the four principals that were pre-defined by Kerberos for its internal use. This is not allowed.
User Response: Use the chkp command to change the attributes of any predefined principal.
| 2503-151 | No matching principal was found to remove. |
Explanation: No principals in the Kerberos database match the names you entered as arguments.
User Response: Check the spelling of the names you entered. Use the lskp command to review the current list of defined principals. Enter the command again.
| 2503-152 | Another process has updated the Kerberos V4 database. Retry this request. |
Explanation: While this request was executing, another root process, possibly the kadmind daemon, changed the database. This request is cancelled.
User Response: Use the lskp command to check the database contents and retry your request, if it is still required.
| 2503-153 | You did not specify any attribute to change. |
Explanation: You did not include either a new expiration date or a new maximum ticket lifetime value for the selected principals.
User Response: If necessary, change the desired information.
| 2503-154 | Principal principal name does not exist. |
Explanation: You specified a principal that has not yet been defined in the Kerberos database. The principal is ignored and the command continues.
User Response: Check the spelling of the names you entered. Enter the command again if you intended to change a different principal.
| 2503-155 | Principal principal name already exists. |
Explanation: You specified a principal that has already been defined in the Kerberos database. The principal is ignored and the command continues.
User Response: Enter the command again if you meant to add a different principal.
| 2503-156 | No principal was found to match argument wild-card-argument |
Explanation: The command could not locate any principal in the Kerberos database that matches the argument shown. Processing of remaining arguments continues.
User Response: Check the spelling of the argument you entered. Enter the command again, if necessary.
| 2503-157 | Wild-card arguments are not allowed. |
Explanation: You used wild-card notation for principal selection, which is not allowed, because the command was invoked non-interactively.
User Response: If you want to remove multiple principals using "name." or ".instance notation, run the command without prompting suppressed. You cannot use wild-card notation when running this command through Sysctl.
| 2503-200 | Database could not be deleted at file name: error-text. |
Explanation: An unlink system call was not successful, attempting to delete the database files.
User Response: Retry the command. If problem persists, contact the IBM Support Center.
| 2503-300 | Kerberos V4 error on default value lookup; number_of_values found. |
Explanation: More than one entry was found in the authentication database for the default principal, containing default attribute values for kdb_edit.. Perhaps an entry was inadvertently replicated when editing a database dump from kdb_util dump.
User Response: Delete all entries for a principal named default, except the one created at database creation. Load the database again using kdb_util load..
| 2503-301 | The date is not valid. |
Explanation: You entered an expiration date in the wrong format. The correct format was used to display the default value in brackets [ ].
User Response: Enter a date in the same format, or press enter to accept the default.
| 2503-302 | The ticket lifetime is not valid; choose 0-255. |
Explanation: You entered a ticket lifetime value that was not an integer between 0 and 255. For an explanation of how the possible integer values map to actual lifetime intervals, see PSSP: Administration Guide.
User Response: Enter a value from 0 to 255 that corresponds to the maximum lifetime you want this principal's tickets to remain valid.
| 2503-303 | The attributes value is not valid; choose 0-65535. |
Explanation: You entered a value outside the range allowed.
User Response: Select the default value. Attributes are unused.
| 2503-304 | Error updating kerberos V4 database. |
Explanation: The database could not be updated with your changes. Perhaps the /var file system is full.
User Response: Check for file system problems. If unable to correct the problem, contact the IBM Support Center.
| 2503-305 | Wild-card names are not supported. |
Explanation: You must specify a single principal by name and instance.
User Response: Enter the name or instance again you want to use, as required.
| 2503-306 | Signal caught, sig = signal-number, code = error-code old pc = location. |
Explanation: The command was terminated by a signal as indicated.
User Response: If the signal was not caused intentionally by user action, follow local problem reporting procedures.
| 2503-400 | Could not create database: error_text. |
Explanation: The authentication database could not be created. The error text indicates the reason for the error.
User Response: Take appropriate action based on the error condition reported. If unable to recover, contact the IBM Support Center.
| 2503-401 | Could not read realm name. |
Explanation: An error prevented the program from reading the realm name from stdin.
User Response: Enter the command again. If unsuccessful, contact the IBM Support Center.
| 2503-402 | A realm name is required. |
Explanation: You did not enter a realm name as required.
User Response: Enter the command again and supply a realm name.
| 2503-403 | realm_name is not a valid realm name. |
Explanation: The realm name you entered contained a '@' character or was not less than 40 characters in length.
User Response: Enter the command again, supplying a properly formed realm name.
| 2503-404 | Could not initialize database. |
Explanation: The program could not add the predefined principals to the database.
User Response: Enter the command again. If unsuccessful, contact the IBM Support Center.
| 2503-500 | operation is not a valid operation. |
Explanation: The operation you requested is not one of:
User Response: Enter the command again, specifying a correct operation.
| 2503-501 | Could not create temp database file name error_text. |
Explanation: A load request was not successful, because the new copy of the database could not be created. The error text indicates the reason for the problem. One possible cause is a full /var file system.
User Response: Take appropriate action based on the condition reported. If unable to recover, follow local reporting procedures.
| 2503-502 | Could not store name.instance: error-text; load abended. |
Explanation: While loading entries from the ASCII dump file into the new database, the principal shown could not be added to the database. The text indicates the reason for the error. One possible cause is a full /var file system.
User Response: Take appropriate action based on the condition reported. If unable to recover, contact the IBM Support Center.
| 2503-503 | Could not rename database: error-text |
Explanation: The newly loaded database could not be renamed from its temporary name to the authentication database name.
User Response: Contact the IBM Support Center.
| 2503-504 | Could not get new master key. |
Explanation: When changing the master key, the command could not read the new key from stdin.
User Response: Enter the command again. If unsuccessful, contact the IBM Support Center.
| 2503-505 | Error on master key lookup; number_of_matches found. |
Explanation: More than one entry was found in the authentication database for the M.K principal, representing the master administrative role. Perhaps an entry was inadvertently replicated when editing a database dump from kdb_util dump..
User Response: Delete all entries for a principal named M.K, except one created by db_creation.. Reload the database using kdb_util load.
| 2503-506 | The master key does not match the key in the database. |
Explanation: The old master key you entered from stdin or read from the /.k file is not the one in which the database is encrypted. Your database may have been corrupted or loaded from an old dump file. Or the /.k file could have been corrupted. You may have previously changed the master password but was unsuccessful to store the new master key with kstash.
User Response: If you entered the wrong password, retry the command and enter it correctly. If you cannot reconcile a /.k file and database that have different passwords, you will have to rebuild your authentication database using setup_authent.
| 2503-600 | The pause interval must be between 5 and 3600 seconds. |
Explanation: You modified the inittab entry from the kerberos daemon or started it from the command line, but entered a value which was not valid for the number of seconds the daemon will pause on termination.
User Response: Enter the command using a valid value or use the default.
| 2503-601 | The maximum age must be from one hour to three days, in seconds |
Explanation: You modified the inittab entry from the kerberos daemon or started it from the command line, but entered a value which was not valid for the number of seconds the daemon will have allowed since the last database update.
User Response: You should use this option only for secondary (slave) servers. Try the command again using a valid value or use the default. The default for secondary servers is one day.
| 2503-602 | Principal name.instance expired at expiration_time. |
Explanation: A service principal for which a ticket was requested has expired. Either the system clock is wrong, or the principal was created or modified to expire before the current time.
User Response: Check the system clock for an incorrect setting. Use kdb_edit to change the expiration date of the principal to a future date.
| 2503-603 | setsockopt (SO_REUSEADDR): error-text |
Explanation: The setsockopt request by the kerberos daemon was unsuccessful. The text indicates the reason for the problem.
User Response: Take appropriate action based on the condition reported. If unable to recover, contact the IBM Support Center.
| 2503-604 | Cannot verify master key. |
Explanation: The master key obtained from the /.k file (or from stdin if you started the daemon from the command line with the -m flag) is not the one in which the database is encrypted.
Your database may have been corrupted or loaded from an old dump file. Or the /.k file could have been corrupted. You may have previously changed the master password but failed to store the new master key with kstash.
User Response: If you entered the wrong password, retry the command and enter it correctly. If you cannot reconcile a /.k file and database that have different passwords, rebuild your authentication database using setup_authent.
| 2503-605 | Ticket granting ticket service unknown. |
Explanation: No entry was found in the authentication database for the krbtgt service principal, representing the ticket-granting-service. Perhaps the entry was inadvertently deleted when editing a database dump from kdb_util dump.
User Response: Reload the database using kdb_util load if you have a valid backup dump file. If not, rebuild your authentication database using setup_authent.
| 2503-606 | Protocol version mismatch: KRB=version_expected request=version_received. |
Explanation: You are using a client executable, such as k4init, which was compiled using a different level of Kerberos than that used to compile the SP authentication server.
User Response: Change your PATH so the correct executable is used.
| 2503-607 | Realm realm_name is unknown; host hostname request did not succeed. |
Explanation: A client requested credentials for a realm that is not served by this authentication server. The most likely cause is an incorrect realm name in the client system's /etc/krb.conf file.
User Response: Copy the file from the primary server system to the client system and try the request again.
| 2503-608 | Unknown message type: message_type from hostname port port_number. |
Explanation: A client request contained an encoding of the request type which was not valid. The message indicates the source of the erroneous request. The message could reflect an attempt to spoof the authentication server, or the use of client software based on the wrong level of Kerberos.
User Response: Investigate the problem environment on the client side to determine the program that was executed, and take appropriate action.
| 2503-609 | The database is currently being updated. |
Explanation: The kerberos daemon attempted to check the age of the database, and found the age to be zero, indicating that the age cannot be determined. End the daemon and restart it after the update completes.
User Response: When kprop indicates completion of the update, kill the kerberos daemon to allow it to be respawned by init or restarted manually.
| 2503-610 | The database is out of date. |
Explanation: The database was found to be older than the allowed age limit. The kerberos daemon cannot be started until the next update takes place.
User Response: Force the primary to propagate the database by invoking the command /usr/kerberos/etc/push-kprop. When the update completes, kill the daemon to allow it to be respawned by init or restart it manually.
| 2503-611 | The database is unavailable. |
Explanation: The request could not be completed, because the principal could not be looked up in the database.
User Response: Retry the command. If unsuccessful, contact the IBM Support Center.
| 2503-612 | Principal principal_name.instance is unknown. |
Explanation: No entry was found in the authentication database for the application service principal, for which a ticket was requested. Perhaps the entry was inadvertently deleted when editing a database dump from kdb_util dump.
User Response: Load the database again using kdb_util load if you have a valid backup dump file. If not, you can use the kadmin and ksrvutil commands to create the missing principal again.
| 2503-613 | Principal principal_name.instance is not unique. |
Explanation: More than one entry was found in the authentication database for the service principal, for which a ticket was requested. Perhaps an entry was inadvertently replicated when editing a database dump from kdb_util dump.
User Response: Delete any duplicate entries for the principal, and reload the database using kdb_util load.
| 2503-614 | Principal principal_name.instance has a null key. |
Explanation: No key was found in the database for the named principal.
User Response: Follow local reporting procedures.
| 2503-615 | Wrong key version, KRB = expected_version principal_name.instance = actual_version. |
Explanation: The master key under which the principal's database entry was last modified or created is different than the current master key. The database is corrupted, at least with respect to this entry.
User Response: Delete the database entry for this principal and re-create it using kdb_edit or kadmin. If it is a service principal, replace the key file using the steps described in the chapter on diagnosing authentication problems in the PSSP: Diagnosis Guide.
| 2503-616 | recvfrom() : error-text |
Explanation: An error occurred receiving a client request on the socket interface. The error text indicates the reason for the problem.
User Response: Take appropriate action based on the error condition reported. If unable to recover, contact the IBM Support Center.
| 2503-700 | file name is more recent than ok_filename. |
Explanation: Either a kdb_util slave_dump command was not executed prior to invoking kprop, or we lost a race condition between two instances of kprop to propagate the current database to secondary servers.
User Response: In the first case, use push-kprop instead of kprop to initiate database propagation. In the second case, check that the other invocation of kprop (perhaps by cron) completed successfully.
| 2503-701 | Cannot read slave host file file name. |
Explanation: The slave list file, containing the hostnames of the secondary servers, could not be processed. A preceding message indicates the reason for the problem.
User Response: Take appropriate action based on the error condition reported. If unable to recover, contact the IBM Support Center.
| 2503-702 | Propagation dd not succeed. |
Explanation: Propagation to at least one of the secondary servers did not complete. Another message indicates the actual problem that was detected.
User Response: Take appropriate action based on the error condition reported. If unable to recover, contact the IBM Support Center.
| 2503-703 | Host hostname connect() : error-text |
Explanation: The kprop command could not establish a socket connection with the kpropd daemon on the indicated host. The text provides additional information about the error. The daemon may not be running, the system may be down, or there may be network problems.
User Response: Take appropriate action based on the condition reported. If unable to recover, contact the IBM Support Center.
| 2503-704 | Host hostname write (version) : error-text |
Explanation: A socket write was unsuccessful, sending the protocol version number to the kpropd daemon at the indicated host. The error text provides additional information about the error.
User Response: Check for networking problems. If problem persists, contact the IBM Support Center.
| 2503-705 | Host hostname write (transfer mode) : error-text |
Explanation: A socket write was unsuccessful, sending the protocol transfer mode to the kpropd daemon at the indicated host. The error text provides additional information about the error.
User Response: Check for networking problems. If problem persists, contact the IBM Support Center.
| 2503-706 | Cannot make key schedule for hostname. |
Explanation: The session key shared by kprop and kpropd violates DES rules: it has bad DES parity or is determined to be a weak key. This is a network data integrity problem or a Kerberos V4 software problem.
User Response: Follow local reporting procedures.
| 2503-707 | Input file read : error-text |
Explanation: The kprop command could not read the input file containing the dumped database. You may have incorrectly specified the file name.
User Response: Verify that the command arguments were specified correctly. If not, retry the command. Otherwise follow local reporting procedures.
| 2503-708 | Host hostname krb_mk_priv() did not succeed. |
Explanation: kprop could not build an encrypted packet containing its credentials and a database record to send to kpropd. This is probably the result of a Kerberos V4 software error.
User Response: Follow local reporting procedures.
| 2503-709 | Host hostname write() : error-text |
Explanation: A socket write was unsuccessful, sending authentication database data to the kpropd daemon at the indicated host. The error text provides additional information about the error.
User Response: Check for networking problems. If problem persists, contact the IBM Support Center.
| 2503-710 | Cannot open slave host file, hostname. |
Explanation: The slavelist file, containing the hostnames of the secondary servers, could not be opened. You may have specified the file name incorrectly.
User Response: Retry the command with the correct arguments. If the slavelist file has disappeared, it can be re-created using an editor, putting the fully qualified hostname of each secondary server on a separate line.
| 2503-711 | Host name in file name is longer than limit characters. |
Explanation: The line read from the slavelist file was longer than the limit on the length of a hostname. Perhaps you specified the wrong file or the file has been overlaid.
User Response: If the slavelist file contains information which is not valid, it can be recreated using an editor, putting the fully qualified hostname of each secondary server on a separate line. Then enter the command again.
| 2503-712 | Unknown host hostname in file name. |
Explanation: Hostname resolution was unsuccessful for the indicated name read from the slavelist file. The name in the file may be incorrect or your name service may be unavailable.
User Response: Check the validity of the file content and the availability of your name server, taking appropriate corrective action, then retry kprop.
| 2503-713 | No memory reading host list from file name. |
Explanation: kprop was unable to allocate memory to create a list of secondary services. This is probably symptomatic of a serious system problem, such as a major memory leak.
User Response: Follow local reporting procedures.
| 2503-800 | Was unable to reverse-resolve connection network address (reason h_errno). |
Explanation: The kpropd daemon detected an error on a gethostbyaddr system call. The meaning of the various h_errno values is described in netdb.h.
User Response: Check that your name service is available. Look for other possible networking errors, based on the h_errno value. If you cannot correct the problem, contact the IBM Support Center.
| 2503-801 | creat() : error_text |
Explanation: The kpropd daemon could not open a temporary file to receive the authentication database dump from kprop. The error text indicates the nature of the problem. One cause might be a full file system.
User Response: Take appropriate action based on the condition reported. If unable to recover, contact the IBM Support Center.
| 2503-802 | Cannot read kprop version string: error_text |
Explanation: A socket read was unsuccessful, receiving the protocol version number from the kprop command at the primary server host. The text provides additional information about the error.
User Response: Check for networking problems. If problem persists, contact the IBM Support Center.
| 2503-803 | Unsupported kprop version: version_number. |
Explanation: The kprop command and the kpropd daemon are not using the same level of Kerberos V4 protocol. One of the executables was not supplied as part of the SP authentication service, or has a software error.
User Response: Replace the kprop command or kpropd daemon with the SP version, if one is not. Otherwise, contact the IBM Support Center.
| 2503-804 | Cannot read transfer mode: error_text. |
Explanation: A socket read was unsuccessful, receiving the protocol transfer mode from the kprop command at the primary server host. The text provides additional information about the error.
User Response: Check for networking problems. If problem persists, contact the IBM Support Center.
| 2503-805 | Authorization denied. |
Explanation: A propagation request was received that was not from the rcmd service in the local realm. kprop may have been invoked from outside the local realm.
User Response: Check your procedures for database propagation, including your cron entries, for an error and invoke kprop only from the local realm's primary (admin) server host.
| 2503-806 | kprop request from non-admin host; rejected. |
Explanation: A propagation request was received that was not from the primary server for the local realm. It may have come from a secondary server.
User Response: Check your procedures for database propagation, including your cron entries, for an error and invoke kprop only from the local realm's primary (admin) server host.
| 2503-807 | Incorrect transfer mode transfer_mode. |
Explanation: This is a Kerberos V4 software error.
User Response: Follow local reporting procedures.
| 2503-808 | Non-private transfers are not supported. |
Explanation: This is a Kerberos V4 software error.
User Response: Follow local reporting procedures.
| 2503-809 | Length data_length does not match checksum check_sum. |
Explanation: This is a network data integrity problem or a Kerberos software error.
User Response: Follow local reporting procedures.
| 2503-810 | rename() : error_text. |
Explanation: The kpropd daemon could not rename the temporary file containing the database dump received from the primary server. The error text indicates the nature of the error.
User Response: Take appropriate action based on the condition reported. If unable to recover, follow local reporting procedures.
| 2503-811 | Could not load database. |
Explanation: The kdb_util load command could not be executed to re-create the database files from the transmitted data. One possible cause is a full /var file system.
User Response: Check kdb_util messages for additional information, or other indications of file system problems.
| 2503-812 | Cannot make key schedule. |
Explanation: The session key shared by kprop and kpropd violates DES rules: it has bad "DES parity" or is determined to be a weak key. This is a network data integrity problem or a Kerberos V4 software problem.
User Response: Follow local reporting procedures.
| 2503-813 | read() : error_text |
Explanation: A socket read was unsuccessful, receiving authentication database data from the kprop command at the primary server host. The error text provides additional information about the error.
User Response: Check for networking problems. If problem persists, contact the IBM Support Center.
| 2503-814 | Read length data_length is more than buffer size buffer_size. |
Explanation: This is a network data integrity problem or a Kerberos V4 software error.
User Response: Follow local reporting procedures.
| 2503-900 | Kerberos V4 on master key lookup, count found. |
Explanation: Either no entry or more than one entry was found in the authentication database for the predefined K.M principal. The entry may have been inadvertently deleted or replicated when editing a database dump from kdb_util dump.
User Response: If count is greater than one, delete all but one entry, and reload the database on the primary server. If the count is zero, and you have a valid backup of the database on the primary server, use the backup copy to restore it. Otherwise you will have to recreate your authentication environment by rerunning setup_authent.
| 2503-901 | Inocrrect master key; does not match database. Current Kerberos V4 master key version is key-version-number |
Explanation: A master key, entered from standard input or read from the /.k file, does not match the key used to encrypt the authentication database. Either you entered the wrong password, the /.k file has been corrupted, or the database has been corrupted.
User Response: If you have changed passwords, and recorded the version numbers corresponding to the various passwords used, you may be able to determine the password you must enter. If the key version from the database is correct (for example, the database has not been down-leveled, as by invoking kdb_util load from a dump file created prior to the last password change) you may need to re-create the /.k file using kstash.
| 2503-902 | Kerberos V4 error locking database. |
Explanation: This is a locking state violation, a Kerberos V4 software error.
User Response: Follow local reporting procedures.
| 2503-903 | Inocrrect kerberos V4 lock request, mode = lock-request-type. |
Explanation: This is a Kerberos V4 software error.
User Response: Follow local reporting procedures.
| 2503-904 | Kerberos V4 error unlocking database. |
Explanation: This is a locking state violation, a Kerberos V4 software error.
User Response: Follow local reporting procedures.