This chapter provides resolutions for error messages that
you might receive when you use SEAM, as well as some troubleshooting tips
for various problems. This is a list of the error message and troubleshooting
information in this chapter.
This section provides information about SEAM error messages, including
why each error occurs and a way to fix it.
This section provides an alphabetical list (A-M) of common error messages
for the SEAM commands, SEAM daemons, PAM framework, GSS interface, the NFS
service, and the Kerberos library.
-
major_error minor_error gssapi error importing name
-
Cause:
An error occurred while a service name was being imported.
Solution:
Make sure that thehost or ftp service principal is in the host's
keytab file.
-
All authentication systems disabled; connection refused
-
Cause:
This version of rlogind does not support any authentication
mechanism.
Solution:
Make sure that rlogind is invoked with the -k option. In fact, this should
be the default specified in the inetd.conf file.
-
Another authentication mechanism must be used to access this host
-
Cause:
Authentication could not be done.
Solution:
Make sure the client is using
Kerberos V5 for authentication.
-
Authentication negotiation has failed, which is required for encryption.
Good bye.
-
Cause:
Authentication could not be negotiated with the server.
Solution:
Start authentication debugging
by invoking the telnet command toggle authdebug and look at the debug messages for further clues. Also, make sure
you have valid credentials.
-
Cannot encrypt-write network
-
Cause:
Problem occurred in encrypting data.
Solution:
Check for other possible problems
in the system. Examine other syslog messages for further
clues.
-
Client did not supply required checksum--connection rejected
-
Cause:
Authentication with checksum was not negotiated with the client. The
client may be using an old Kerberos V5 protocol that does not support initial
connection support.
Solution:
Make sure that the client is
using a Kerberos V5 protocol that supports initial connection support.
-
Configuration error: Requiring checksums with -c is inconsistent with
allowing Kerberos V4 connections
-
Cause:
Authentication with checksum was not negotiated with the client. The
client might be using an old Kerberos V5 protocol that does not support initial
connection support.
Solution:
Make sure the client is using
a Kerberos V5 protocol that supports initial connection support.
-
des_read retry count exceeded
-
Cause:
An error repeatedly occurred while reading data.
Solution:
Check for other possible problems
in the system. Examine other syslog messages for further
clues.
-
Encryption could not be enabled. Goodbye.
-
Cause:
Encryption could not be negotiated with the server.
Solution:
Start authentication debugging
by invoking the telnet command toggle encdebug and look at the debug messages for further clues.
-
Kerberos V5 refuses authentication
-
Cause:
Authentication could not be negotiated with the server.
Solution:
Start authentication debugging
by invoking the telnet command toggle authdebug and look at the debug messages for further clues. Also, make sure
you have valid credentials.
-
login: load_modules: can not open module
/usr/lib/security/pam_krb5.so.1
-
Cause:
Either the Kerberos PAM module is missing or it is not a valid executable
binary.
Solution:
Make sure that the Kerberos PAM
module is in the /usr/lib/security directory and that
it is a valid executable binary. Also, make sure that the /etc/pam.conf file contains the correct path to pam_krb5.so.1.
This section provides an alphabetical list (N-Z) of common error messages
for the SEAM commands, SEAM daemons, PAM framework, GSS interface, the NFS
service, and the Kerberos library.
-
No authentication
systems were enabled; all connections will be refused
-
Cause:
This version of rlogind does not support any authentication
mechanism.
Solution:
Make sure that rlogind is invoked with the -k option. In fact, this should
be the default specified in the inetd.conf file.
-
Server refused to negotiate encryption. Good bye.
-
Cause:
Encryption could not be negotiated with the server.
Solution:
Start authentication debugging
by invoking the telnet command toggle encdebug and look at the debug messages for further clues.
-
Unable to connect with Kerberos V5 and provide encryption service
Unable to connect with Kerberos V5, using normal rlogin
-
Cause:
A Kerberized session
could not be established with the appropriate service (kshell
for rsh and rcp, eklogin
or klogin for rlogin) on the server.
This may be due to invalid credentials.
Solution:
-
Make sure your credentials are valid. Destroy your tickets
with kdestroy and create new tickets with kinit.
-
Make sure the target host has a keytab with the correct version
of the service key. Use kadmin(1M) to view the key version
number of the service principal (for example, host/FQDN_hostname) in the Kerberos database and use klist -k on the target host to make sure it has
the same key version number.
-
Make sure there are entries for the services (klogin, eklogin, and kshell) in /etc/inetd.conf on the target host.
-
Unable to securely authenticate user ... exit
-
Cause:
Authentication could not be negotiated with the server.
Solution:
Start authentication debugging
by invoking the telnet command toggle authdebug and look at the debug messages for further clues. Also, make sure
you have valid credentials.
-
You are using an old Kerberos5 client without checksum support; only
newer clients are authorized.
-
Cause:
Authentication with checksum was not negotiated with the client. The
client may be using an old Kerberos V5 protocol that does not support initial
connection support.
Solution:
Make sure the client is using
a Kerberos V5 protocol that supports initial connection support.
