| 2504-001 | Kerberos V4 principal expired. |
Explanation: The current date is past the expiration date of the principal's entry in the authentication database. Either the system date is incorrect or the expiration date in the database entry was incorrectly set using kdb_edit.
User Response: Correct the system date, if it is incorrect; or use the kdb_edit command to change the expiration date in the principal's database entry.
| 2504-004 | Unknown Kerberos V4 protocol version. |
Explanation: You are attempting to use client and server programs built with different levels of Kerberos V4 libraries. The client and server functions cannot communicate correctly.
User Response: If you are using a Kerberos V4 authentication server other than the one supplied in the PSSP, it must be compatible with MIT Kerberos 4 Patch level 10. The same is true of any Kerberos V4 -authenticated client/server programs you may be running.
| 2504-005 | Incorrect Kerberos V4 master key version. |
Explanation: Your /.k file contains a master key that does not match the key used to encrypt the authentication database. The file could have been corrupted or restored with an earlier level, or the database may have been destroyed.
User Response: Try to recreate the /.k file by invoking the kstash command, entering the correct database master key when prompted.
| 2504-008 | Kerberos V4 principal unknown. |
Explanation: An authentication task cannot be performed because the principal name used is not defined in the authentication database. If the failing command is rcmdtgt, the principal rcmd.instance has not been defined. If the command you entered specified a principal name explicitly, you may have incorrectly entered it.
User Response: Make sure you correctly entered the principal name on the command line or when prompted. If you entered the name correctly, or if you did not explicitly specify a principal for the task, contact your administrator to check the database for the required name and create it if required.
| 2504-009 | Kerberos V4 principal not unique. |
Explanation: Multiple entries were found for a principal in the authentication database.
User Response: The root user must find and delete any entries that are duplicate or not valid using the kdb_util dump command, an editor, and then kdb_util load..
| 2504-010 | Kerberos V4 principal has null key. |
Explanation: The entry for the principal has no key in the authentication database.
User Response: The root user must repair the entry for the principal, using the kdb_edit command, if possible. If that does not succeed, delete the entry should and recreate it using either kdb_edit or kadmin..
| 2504-022 | Can't find Kerberos V4 ticket. |
Explanation: The ticket cache file exists, but there is no ticket when one is expected.
User Response: Check the setting of the KRBTKFILE environment variable to insure that you are using the correct ticket cache file. Try the failing task again, after issuing the k4destroy command. If the k4list command shows a valid ticket, but the task still fails, gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-031 | Kerberos V4 error: can't decode authenticator. |
Explanation: There is probably a mismatch between the authentication database and a service key file on the server side of an authenticated application.
User Response: Check the key version in the server key file on the server system. The server system is the control workstations if the failing task is trying to contact the Hardware Monitor Daemon. Otherwise, the server system is the target system of a sysctl command, remote command or remote copy.
The system administrator, logged in as root, should inspect the service key file using the k4list command and the authentication database using kadmin. If the keys have the same version number, gather information about the problem and follow local site procedures for reporting hardware and software problems.
Otherwise, follow the instructions in the chapter on diagnosing authentication problems in the PSSP: Diagnosis Guide for regenerating the service key file for the server system.
| 2504-032 | Kerberos V4 ticket expired. |
Explanation: You attempted to perform a task requiring authentication, but the ticket found in the ticket cache file had expired.
User Response: You must log into Kerberos V4 again using k4init, before retrying the failing task.
| 2504-033 | Kerberos V4 ticket not yet valid. |
Explanation: The ticket found in the ticket cache has a date of issue after the current date and time. There may be something wrong with the clock on your system.
User Response: Log into Kerberos V4 again using k4init, then retry the failing task. Report a possible clock problem to your administrator.
| 2504-036 | Inconsistent Kerberos V4 request. |
Explanation: An administrative request was issued that was inconsistent with the current state of the authentication database.
User Response: Gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-037 | Kerberos V4 error: client and server clocks must be synchronized. |
Explanation: Authentication was not successful because the clocks on the requesting system and the server differ by more than 5 minutes.
User Response: Have your administrator check that the system's time service is operating correctly, for example, that the NTP daemon is running.
| 2504-039 | Kerberos V4 protocol version mismatch. |
Explanation: The authentication server is using a different protocol version of Kerberos V4 than the client. This can only occur if service is being provided by a product not based on MIT Kerberos Version 4, as required.
User Response: You must reconfigure your authentication server(s) so that they all use the same level of Kerberos V4 protocol.
| 2504-040 | Kerberos V4 error: incorrect message type. |
Explanation: A Kerberos V4 message packet did not contain the expected information for the request.
User Response: Gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-041 | Kerberos V4 error: message stream modified. |
Explanation: A Kerberos V4 message packet was garbled. This could be through a networking problem, or through improper use of an intercepted message by an outside party.
User Response: Report the problem to your administrator. Investigate possible network hardware or software problems, as well as exposure to network break-in.
| 2504-052 | Kerberos V4 error: incorrect current password. |
Explanation: When changing a principal's password, the current password was incorrectly entered.
User Response: Enter the correct password.
| 2504-056 | Kerberos V4 error: retry count exceeded. |
Explanation: Repeated attempts to communicate with an authentication server were not successful.
User Response: Have the administrator check that the server daemon is running and that TCP/IP communication is possible between this system and the server system.
| 2504-057 | Kerberos V4 error: can't send request to server. |
Explanation: The server system may not be defined properly, TCP/IP communication may be disrupted, or name service may not be working as expected.
User Response: Have your administrator check for proper setup of network interfaces and availability of name service for your system.
| 2504-062 | Incorrect Kerberos V4 password. |
Explanation: You entered a password that is incorrect for the principal you are using.
User Response: Enter the correct password, or enter another principal name if the name you are using is incorrect.
| 2504-063 | Kerberos V4 protocol error. |
Explanation: An internal error occurred, preventing the client and server functions from successfully completing an authentication or administration task.
User Response: Gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-070 | Generic Kerberos V4 error. |
Explanation: An unexpected condition caused an authentication task to terminate. One possible cause is user interruption via <Ctrl C>.
User Response: Reissue the command, if required.
| 2504-071 | Don't have Kerberos V4 ticket-granting-ticket. |
Explanation: There is no ticket-granting-ticket in the ticket cache file. Perhaps KRBTKFILE points to a file that is not a ticket cache.
User Response: Check the KRBTKFILE environment variable for an erroneous setting. Log into Kerberos V4 using k4init. If the problem persists. gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-076 | Kerberos V4 ticket file was not found. |
Explanation: You have no tickets. If you have logged into Kerberos V4, perhaps you have not defined or exported the KRBTKFILE environment variable properly.
User Response: Check the KRBTKFILE environment variable for an erroneous setting. Log into Kerberos V4 using k4init. If error persists, gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-077 | Can't access Kerberos V4 ticket file. |
Explanation: There is a problem with access permissions for your ticket cache file.
User Response: Make sure the file you are using is accessible to you.
| 2504-078 | Can't lock Kerberos V4 ticket file. |
Explanation: The request to lock the ticket file failed, probably because you have another process using it. If not, perhaps the KRBTKFILE environment variable names a file that is another user's ticket cache file.
User Response: Check whether you are attempting to update the ticket file while it is in use. Check the KRBTKFILE environment variable for an erroneous setting.
| 2504-079 | Incorrect Kerberos V4 ticket file format. |
Explanation: The ticket file exists and can be accessed, but does not contain tickets with the required format.
User Response: Check the KRBTKFILE environment variable for an erroneous setting.
| 2504-080 | Kerberos V4 ticket file not initialized. |
Explanation: An internal error occurred, preventing the ticket cache file from being read.
User Response: Gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-081 | Kerberos V4 name has incorrect format. |
Explanation: You did not enter a user name in the expected format when prompted. You probably tried to enter instance or realm names in addition to the user name. k4init is asking for just the user name part of the principal name.
User Response: If you do not enter the full principal name on the command line, you must specify the -i flag in order to enter an instance name interactively. Similarly, you must specify the -r flag if you want to specify a realm name interactively.
| 2504-303 | Can't encrypt data. |
Explanation: Either client or server failed attempting to encrypt a protocol message. One possible reason is failure to obtain the current system time-of-day.
User Response: Gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-305 | Principal attempting change is in wrong realm. |
Explanation: You requested a password change for a principal defined in a realm other than the one to which your kadmin command was directed.
User Response: Exit from kadmin and reissue the command specifying the correct realm for the principal whose password you wish to change.
| 2504-306 | Packet is too large. |
Explanation: The authentication message built by an administrative command to send to the kadmind server is larger than the 64KB limit.
User Response: Gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-307 | Version number is incorrect. |
Explanation: The Kerberos administration command you issued and the administrative server have different version numbers. You are probably running an authentication server based on a different level of MIT Kerberos that is not supported with the 9076 SP2 authentication service.
User Response: Reconfigure your authentication service using the 9076 SP2 authentication server (ssp.authent), or another server running a compatible level of MIT Kerberos Version 4. If using the 9076 SP2 server, gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-308 | Checksum does not match. |
Explanation: The Kerberos administration command you issued and the administrative server calculated different checksums.
The message could have been corrupted during transmission, or you may be using a Kerberos authentication server based on a different level of MIT Kerberos that is not supported with the 9076 SP2 authentication service.
User Response: Check for other evidence that network traffic is being corrupted. If there is no evidence, and you are not using the 9076 SP2 server, reconfigure your authentication service using the 9076 SP2 authentication server (ssp.authent), or another server running a compatible level of MIT Kerberos Version 4.
Otherwise, gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-310 | Unsupported operation. |
Explanation: The Kerberos administration server found an unsupported operation type field in the client command's request.
The message could have been corrupted during transmission, or you may be using a Kerberos authentication server based on a different level of MIT Kerberos that is not supported with the SP authentication service.
User Response: Check for other evidence that network traffic is being corrupted. If there is no evidence, and you are not using the 9076 SP2 server, reconfigure your authentication service using the 9076 SP2 authentication server (ssp.authent), or another server running a compatible level of MIT Kerberos Version 4.
If using the 9076 SP2 server, gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-311 | Could not find administrating host. |
Explanation: You attempted to perform an administrative task for a realm that has no administration server listed in your system's /etc/krb.conf file.
Each realm that you expect to administer should have an entry for its primary (administration) server in the krb.config file on any system from which you expect to execute administration commands.
User Response: Add the appropriate entry on this system and reissue the failing command.
| 2504-312 | Administrating host name is unknown. |
Explanation: You attempted to perform an administrative task for a realm whose administration server is inaccessible on the network from this system.
This could be the result of a name service problem or an incorrect entry for the primary (administration) server in the krb.config file on this system.
User Response: Check the krb.conf file and hostname resolution facilities. If necessary, change the krb.conf file entry. Reissue the failing command.
| 2504-314 | Could not create socket. |
Explanation: The administration command or the kadmind server was unable to open a socket. The port could be already in use by another process or the port number for the service might be defined incorrectly in the /etc/services file.
User Response: Check to insure that the port is available and that the kadmind port is not defined for another service.
| 2504-315 | Could not connect to server. |
Explanation: The connect system call failed trying to connect to the kadmind server.
User Response: Check for other network error messages indicating related error conditions. If the problem is not resolved, gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-316 | Could not fetch local socket address. |
Explanation: The getsockname system call failed, after connecting to the kadmind server.
User Response: Check for other network error messages, indicating related error conditions. If the problem is not resolved, gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-317 | Could not fetch master key. |
Explanation: The administration command was unable to obtain the master key, from the master key cache file (/.k) or interactively from stdin. The kadmind server is terminated during startup by this condition.
The /.k file is created by kstash, invoked by the setup_authent command. It must exist if the -n flag is specified when starting the kadmind daemon. If -n is not specified, the daemon requires interactive input of the master key.
User Response: Make sure that file /.k exists and that -n is specified on the inittab entry used to start the kadmind daemon.
| 2504-318 | Could not verify master key. |
Explanation: The master key was read from the /.k file or the keyboard, but is not equal to the current master key for the database. If you changed the master key using the kadmin command, you may not have reissued kstash to re-create the master key cache file.
User Response: Issue the kstash command if you need to do so, then restart the kadmind daemon.
| 2504-319 | Entry already exists in database. |
Explanation: You tried to create a principal that already exists in the authentication database. You may have incorrectly specified the name, or tried to add it unnecessarily.
User Response: Reissue the request, specifying the correct principal name, if necessary.
| 2504-320 | Database store error. |
Explanation: The administration server was unable to update the authentication database. The most likely cause is lack of space in the /var file system.
User Response: Check whether the /var file system must be expanded. Reissue the failing request after allocating additional space, if necessary.
| 2504-321 | Database read error. |
Explanation: The administration server was unable to read the authentication database.
User Response: Check for possible file system or device problems.
| 2504-322 | Insufficient access to perform requested operation. |
Explanation: You are not authorized to perform the requested operation according to the administration server's access control list files: admin_acl.get, admin_acl.add, and admin-acl.mod.
User Response: Have an authorized administrator perform the task or have the root user add your Kerberos principal to one or more of the access control list files.
| 2504-324 | No such entry in the database. |
Explanation: The principal you attempted to get or modify was not found in the authentication database. You may have incorrectly specified the name.
User Response: Reissue the request with a correct principal name.
| 2504-325 | Memory exhausted. |
Explanation: The administrative command was unable to allocate sufficient memory to build the protocol message to send to the administration server.
User Response: Gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-326 | Could not fetch system hostname. |
Explanation: The gethostname or gethostbyname system call failed when the Kerberos administration server was being initialized.
User Response: Gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-327 | Could not bind port. |
Explanation: The bind system call failed trying to connect to the kadmind server.
User Response: Check for other network error messages indicating related error conditions. If the problem is not resolved, gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-328 | Length mismatch problem. |
Explanation: The data received from the client or server in an authentication message has elements whose lengths are incorrect. This is an internal error.
User Response: Gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2504-329 | Incorrect use of wildcard. |
Explanation: You specified the "*" wildcard character as a name or instance when you requested an administrative function. This is not allowed.
User Response: You must specify one specific principal.
| 2504-330 | Database locked or in use. |
Explanation: The administrative server was unable to update the database, probably because another process is using it.
User Response: Make sure that you or another administrator logged in as root is not making simultaneous updates using the kdb_edit or kdb_load utilities.
| 2504-331 | Insecure password rejected. |
Explanation: You entered a new password that failed the triviality checks performed by the authentication server.
User Response: Reissue the request and specify another password.
| 2504-332 | Cleartext password and DES key did not match. |
Explanation: An internal error occurred that caused an encrypted password to no longer match its database entry.
User Response: Gather information about the problem and follow local site procedures for reporting hardware and software problems.