Kerberos EMS error descriptions
Applies to
- ONTAP 9x
- Clustered Data ONTAP 8
Answer
Kerberos is a authentication protocol and Data ONTAP employs it for authenticating either CIFS or NFS requests, depending on the configuration.
By default, NFS is not installed with a Kerberos authentication setup.
Starting with Clustered Data ONTAP CIFS cannot be used unless the the SVM (Storage Virtual Machine) is joined to Active Directory infrastructure and authentication will be performed via the Kerberos implementation in Active Directory.
Data ONTAP 7mode does not trace Kerberos errors related to NFS by default, this has to be enabled with the nfs.rpcsec.trace option:
ontap> options nfs.rpcsec.trace on
In order to reassess the situation, retry your connection and see if something along the following line is logged in EMS messages:
Wed Apr 25 22:18:11 IST [krb.kt.princ.notfound.kv.less:warning]: Kerberos: Found principal nfs/host.domain.com@KDCDOMAIN in keytab file /etc/UNIX_krb5.keytab, but the key version number was wrong (received 3, expected 2). Try running 'kdestroy' and 'kinit' commands on the client and reinstalling the keytab file from the KDC.
Wed Apr 25 22:18:11 IST [rpc.authen.init.rep.status:warning]: authentication reply sent with major_status 851968 and minor_status -1765328158
In Clustered Data ONTAP the authentication is handled by the SECD daemon and at default values SECD will log in detail every authentication request that is not successful.
In order to see a listing of the SECD errors/messages for the last 10 minutes you can use a CLI command of the form:
::> event log show -time >10m -source secd
The SECD daemon that will perform the authentication is the SECD daemon running on the node that owns the LIF accessed by the client, you could also inspect the log from the SPI interface of the node via HTTP at the URL:
https://cluster-mgmt-ip/spi/node-name/etc/log/secd
the files named secd* at the location are the SECD logs.
Minor Status | Minor Error Code | Description | Corrective Action |
KRB5_KT_KVNONOTFOUND | -1765328158L | Key version number for the principal in the key table is incorrect | Capture the network traces and verify the key version number. ap_req kvno should be the same as for the key tab file |
Caution: The workaround given below is as per understanding the code and has not been verified by testing. |
Minor Status | Minor Error Code | Description | Corrective Action |
KRB5KDC_ERR_NONE | -1765328384L | No error | No |
KRB5KDC_ERR_NAME_EXP | -1765328383L | Client's entry in database has expired | Client entry in KDC expired; recreate the key tab files for the client. For verification, capture the network traces between the client and KDC and verify the return status. |
KRB5KDC_ERR_SERVICE_EXP | -1765328382L | Server's entry in database has expired | Server entry in KDC expired; recreate the key tab files for the server. For verification, capture the network traces between the client and KDC and verify the return status. |
KRB5KDC_ERR_BAD_PVNO | -1765328381L | Requested protocol version not supported | Capture the network traces and verify the protocol version (Pvno) in AP_REQ. The Protocol version should be 5; if it is an invalid protocol version, check the nfs client configuration. |
KRB5KDC_ERR_C_OLD_MAST_KVNO | -1765328380L | Client's key is encrypted in an old master key | Check the KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_S_OLD_MAST_KVNO | -1765328379L | Server's key is encrypted in an old master key | Check the KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN | -1765328378L | Client not found in the Kerberos database | Client entry not found in the KDC database; add the principal name and create the key tab files for the client in KDC. For verification, capture the network traces between the client and KDC and verify the return status. |
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN | -1765328377L | Server not found in the Kerberos database | Server entry not found in the KDC database; add the principal name and create the key tab files for the server in KDC. For verification, capture the network traces between the client and KDC and verify the return status. |
KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE | -1765328376L | Principal has multiple entries in the Kerberos database | Client/Server has multiple entries in the KDC database; recreate the key tab files for the client/server. For verification, capture the network traces between the client and KDC and verify the return status. |
KRB5KDC_ERR_NULL_KEY | -1765328375L | Client or server has a null key | Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel |
KRB5KDC_ERR_CANNOT_POSTDATE | -1765328374L | Ticket is ineligible for postdating | Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_NEVER_VALID | -1765328373L | Requested effective lifetime is negative or too short | Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_POLICY | -1765328372L | KDC policy rejects request | Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_BADOPTION | -1765328371L | KDC cannot fulfill the requested option | Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_ETYPE_NOSUPP | -1765328370L | KDC has no support for the encryption type | Check the Windows/UNIX KDC configuration, If the error is noticed during the filer cifs setup, then the machine account for the server name specified is inconsistent and it needs to be reset at Windows KDC. |
KRB5KDC_ERR_SUMTYPE_NOSUPP | -1765328369L | KDC has no support for the checksum type | Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_PADATA_TYPE_NOSUPP |
-1765328368L |
KDC has no support for the padata type |
Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_TRTYPE_NOSUPP |
-1765328367L |
KDC has no support for the transited type |
Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_CLIENT_REVOKED |
-1765328366L |
Client's credentials have been revoked |
Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_SERVICE_REVOKED |
-1765328365L |
Credentials for the server have been revoked |
Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_TGT_REVOKED |
-1765328364L |
TGT has been revoked |
Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_CLIENT_NOTYET |
-1765328363L |
Client not yet valid, try again later |
Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_SERVICE_NOTYET |
-1765328362L |
Server not yet valid, try again later |
Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_KEY_EXP |
-1765328361L |
Password has expired |
Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_PREAUTH_FAILED |
-1765328360L |
Pre-authentication failed |
Check the Windows KDC configuration. This error is also encountered during a cifs setup. Provide the valid credentials for the account during the cifs setup; authentication failed with the available credentials. |
KRB5KDC_ERR_PREAUTH_REQUIRED |
-1765328359L |
Additional pre-authentication required |
Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KDC_ERR_SERVER_NOMATCH |
-1765328358L |
Requested server and ticket do not match |
Check the Windows/UNIX KDC configuration. Nothing to do with ONTAP Kernel. |
KRB5KRB_AP_ERR_BAD_INTEGRITY |
-1765328353L |
Decrypt integrity check failed |
Checksum verification failed, recheck the configured filer and client tickets and capture the network traces. If the same error is noticed, regenerate the tickets for the filer and client. |
KRB5KRB_AP_ERR_TKT_EXPIRED |
-1765328352L |
Ticket expired |
Check the time synchronization between the client, filer and KDC. It should be less than 5 minutes and should be in same time zone. If they are in sync, ticket gets expired. It needs to be renewed. Regenerate the key tab files for the client and filer and retry the Kerberos mount as per the procedure. |
KRB5KRB_AP_ERR_TKT_NYV |
-1765328351L |
Ticket not yet valid |
Check the time synchronization between the client, filer and KDC. It should be less than 5 minutes and should be in same time zone. If they are in sync, the ticket is not valid, it needs to be created. Add the proper principals to the KDC and create the proper key tab files for the client and filer and retry the Kerberos mount as per the procedure. |
KRB5KRB_AP_ERR_REPEAT |
-1765328350L |
Request is a replay |
Check the time synchronization between the KDC and server and also try by setting the libdefaults time sync field to 0 [libdefaults] kdc_timesync = 0 |
KRB5KRB_AP_ERR_NOT_US |
-1765328349L |
The ticket is not for us |
Nothing to do with ONTAP Kernel. |
KRB5KRB_AP_ERR_BADMATCH |
-1765328348L |
Ticket/authenticator do not match |
Capture the network traces and verify the request (ap-req) principal name in the NULL call with the principal names in the key tab file. Both the principals should be the same. If both are not the same, add the proper principal in KDC and generate the new key tab files for the filer and retry the Kerberos mount as per the procedure. |
KRB5KRB_AP_ERR_SKEW |
-1765328347L |
Clock skew too high |
Check the time synchronization between the client, KDC and the filer. It should be less than 5 minutes. All the entities should be in the same time zone. |
KRB5KRB_AP_ERR_BADADDR |
-1765328346L |
Incorrect network address |
Capture the network traces and verify the network addresses, the remote client address, and the encrypted source address are not matching. |
KRB5KRB_AP_ERR_BADVERSION |
-1765328345L |
Protocol version mismatch |
Capture the network traces and verity the message type and protocol version. It should be type AP_REQ and the version should be 5. |
KRB5KRB_AP_ERR_MSG_TYPE |
-1765328344L |
Invalid message type |
Capture the network traces and verity the message type. It should be AP_REQ. |
KRB5KRB_AP_ERR_MODIFIED |
-1765328343L |
Message stream modified |
When a user, or Service Account, or computer password get changed in KDC. When the service decrypts the ticket it is going to use its current password and decrypt the ticket. So, if the Kerberos service ticket was generated by a KDC that has not received the latest password for the Service Account, then, it will encrypt the ticket with the wrong password. Thus, the service will not be able to decrypt the ticket; and then, this error is encountered. Regenerate the tickets with the new password and retry the mount as per the procedure. |
KRB5KRB_AP_ERR_BADORDER |
-1765328342L |
Message out of order |
Verify the cifs setup/ nfs setup with Windows KDC. |
KRB5KRB_AP_ERR_ILL_CR_TKT |
-1765328341L |
Illegal cross-realm ticket |
Add the intermediate cross realm entries [domain_relam] section in the |
KRB5KRB_AP_ERR_BADKEYVER |
-1765328340L |
Key version is not available |
Check the configuration, nothing to do with ONTAP Kernel. |
KRB5KRB_AP_ERR_NOKEY |
-1765328339L |
Service key not available |
Check the configuration, nothing to do with ONTAP Kernel. |
KRB5KRB_AP_ERR_MUT_FAIL |
-1765328338L |
Mutual authentication failed |
Check the configuration , nothing to do with ONTAP Kernel |
KRB5KRB_AP_ERR_BADDIRECTION |
-1765328337L |
Incorrect message direction |
Check the configuration , nothing to do with ONTAP Kernel |
KRB5KRB_AP_ERR_METHOD |
-1765328336L |
Alternative authentication method required |
Check the configuration , nothing to do with ONTAP Kernel |
KRB5KRB_AP_ERR_BADSEQ |
-1765328335L |
Incorrect sequence number in message |
Check the configuration , nothing to do with ONTAP Kernel |
KRB5KRB_AP_ERR_INAPP_CKSUM |
-1765328334L |
Inappropriate type of checksum in message |
Checksum verification failed, recheck the configured filer and client tickets and capture the network traces. If the same error is encountered, regenerate the tickets for the filer and client. |
KRB5KRB_ERR_GENERIC |
-1765328324L |
Generic error |
|
KRB5KRB_ERR_FIELD_TOOLONG |
-1765328323L |
Field is too long for this implementation |
Credentials length too long, it should be less than 65535. Capture the network traces and verify the same. |
KRB5_LIBOS_BADLOCKFLAG |
-1765328255L |
Invalid flag for file lock mode |
Collect the network traces between the client and the filer |
KRB5_LIBOS_CANTREADPWD |
-1765328254L |
Cannot read password |
Recheck the cifs setup or nfs setup with Windows KDC. |
KRB5_LIBOS_BADPWDMATCH |
-1765328253L |
Password mismatch |
Recheck the cifs setup or nfs setup with Windows KDC. |
KRB5_LIBOS_PWDINTR |
-1765328252L |
Password read interrupted |
Recheck the cifs setup or nfs setup with Windows KDC. |
KRB5_PARSE_ILLCHAR |
-1765328251L |
Illegal character in component name |
Nothing to do with ONTAP Kernel. |
KRB5_PARSE_MALFORMED |
-1765328250L |
Malformed representation of principal |
Capture the network traces and verify the request principal |
KRB5_CONFIG_CANTOPEN |
-1765328249L |
Cannot open/find Kerberos |
Check if the |
KRB5_CONFIG_BADFORMAT |
-1765328248L |
Improper format of Kerberos |
Check the |
KRB5_CONFIG_NOTENUFSPACE |
-1765328247L |
Insufficient space to return complete information |
Check the configured key tab file name, should be less than 256 characters. |
KRB5_BADMSGTYPE |
-1765328246L |
Invalid message type specified for encoding |
Capture the network traces and verify the message type, It should be ap_req(14).. |
KRB5_CC_BADNAME |
-1765328245L |
Credential cache name malformed |
Verify the cifs setup or nfs setup using Windows KDC. |
KRB5_CC_UNKNOWN_TYPE |
-1765328244L |
Unknown credential cache type |
Verify the cifs setup or nfs setup using Windows KDC. |
KRB5_CC_NOTFOUND |
-1765328243L |
No matching credential has been found |
Verify the cifs setup or nfs setup using Windows KDC |
KRB5_CC_END |
-1765328242L |
End of credential cache reached |
Verify the cifs setup or nfs setup using Windows KDC |
KRB5_NO_TKT_SUPPLIED |
-1765328241L |
Request did not supply a ticket |
Capture the network traces and verify the ticket length. It should have a proper value. |
KRB5KRB_AP_WRONG_PRINC |
-1765328240L |
Wrong principal in request |
Capture the network traces and compare the server principal name in ap-req with the filer key tab principal names. |
KRB5KRB_AP_ERR_TKT_INVALID |
-1765328239L |
Ticket has an invalid flag set |
Request contains an invalid ticket. Regenerate the tickets for the client and filer. |
KRB5_KDCREP_MODIFIED |
-1765328237L |
KDC reply did not match expectations |
Verify the cifs setup or nfs setup using Windows KDC. |
KRB5_PRINC_NOMATCH |
-1765328238L |
Requested principal and ticket do not match |
Capture the network traces and compare the server principal name in request with the filer key tab principal name. |
KRB5_KDCREP_SKEW |
-1765328236L |
Clock skew too high in KDC reply |
Check the time synchronization between the client, KDC and the filer. It should be less than 5 minutes and should be in same time zone. |
KRB5_IN_TKT_REALM_MISMATCH |
-1765328235L |
Client/server realm mismatch in the initial ticket request |
Capture the network traces and compare the realm names in the request with the filer configured realm. |
KRB5_PROG_ETYPE_NOSUPP |
-1765328234L |
Program lacks support for encryption type |
ONTAP 7G/7M will support only DES-CBC-CRC and DES-CBC-MD5. While generating key tabs using add_principal/ktpass, use the encryption type DES only. |
KRB5_WRONG_ETYPE |
-1765328232L |
Requested encryption type not used in the message |
Nothing to do with ONTAP Kernel. |
KRB5_PROG_SUMTYPE_NOSUPP |
-1765328231L |
Program lacks support for the checksum type |
Checksum type not supported, verify the client side configuration. |
KRB5_REALM_UNKNOWN |
-1765328230L |
Cannot find KDC for requested realm |
Check the |
KRB5_SERVICE_UNKNOWN |
-1765328229L |
Kerberos service unknown |
Nothing to do with ONTAP Kernel |
KRB5_KDC_UNREACH |
-1765328228L |
Cannot contact any KDC for the requested realm |
Check the cifs setup or nfs setup using Windows KDC |
KRB5_NO_LOCALNAME |
-1765328227L |
No local name found for principal name |
Nothing to do with ONTAP Kernel. |
KRB5_MUTUAL_FAILED |
-1765328226L |
Mutual authentication failed |
Check the time synchronization between the client, KDC and the filer. It should be less than 5 minutes and should be in same time zone. |
KRB5_RC_TYPE_EXISTS |
-1765328225L |
Replay cache type is already registered |
Try by disabling the Kerberos reply cache option. |
KRB5_RC_MALLOC |
-1765328224L |
No more memory to allocate in replay cache code |
Check the filer memory statics. |
KRB5_RC_TYPE_NOTFOUND |
-1765328223L |
Replay cache type is unknown |
Try disabling the Kerberos reply cache option. |
KRB5_RC_UNKNOWN |
-1765328222L |
Generic unknown RC error |
Try disabling the Kerberos reply cache option. |
KRB5_RC_REPLAY |
-1765328221L |
Message is a replay |
Try disabling the Kerberos reply cache option. |
KRB5_RC_IO |
-1765328220L |
Replay I/O operation failed |
Try disabling the Kerberos reply cache option. |
KRB5_RC_NOIO |
-1765328219L |
Replay cache type does not support non-volatile storage |
Try disabling the Kerberos reply cache option. |
KRB5_RC_PARSE |
-1765328218L |
Replay cache name parse and format error |
Try disabling the Kerberos reply cache option. |
KRB5_RC_IO_EOF |
-1765328217L |
End-of-file on replay cache I/O |
Try disabling the Kerberos reply cache option. |
KRB5_RC_IO_MALLOC |
-1765328216L |
No more memory to allocate in replay cache I/O code |
Check the filer memory statics. |
KRB5_RC_IO_PERM |
-1765328215L |
Permission denied in replay cache code |
Try disabling the Kerberos reply cache option. |
KRB5_RC_IO_IO |
-1765328214L |
I/O error in replay cache I/O code |
Check the filer memory statics. |
KRB5_RC_IO_UNKNOWN |
-1765328213L |
Generic unknown RC/IO error |
Check the filer memory statics. |
KRB5_RC_IO_SPACE |
-1765328212L |
Insufficient system space to store replay information |
Check the filer memory statics. |
KRB5_TRANS_CANTOPEN |
-1765328211L |
Cannot open/find the realm translation file |
Nothing to do with ONTAP Kernel. |
KRB5_TRANS_BADFORMAT |
-1765328210L |
Improper format of realm translation file |
Nothing to do with ONTAP Kernel. |
KRB5_LNAME_CANTOPEN |
-1765328209L |
Cannot open or find the lname translation database |
Capture the network traces and verity the error and generate the new tickets with the proper encryption type. |
KRB5_LNAME_NOTRANS |
-1765328208L |
No translation is available for the requested principal |
Capture the network traces and verity the error and generate the new tickets with the proper encryption type. |
KRB5_LNAME_BADFORMAT |
-1765328207L |
Improper format of translation database entry |
Capture the network traces and verity the error and generate the new tickets with the proper encryption type. |
KRB5_CRYPTO_INTERNAL |
-1765328206L |
Cryptosystem internal error |
Checksum validation failed. Capture the network traces and verity the error and generate the new tickets with the proper encryption type. |
KRB5_KT_BADNAME |
-1765328205L |
Key table name malformed |
Nothing to do with ONTAP Kernel. |
KRB5_KT_UNKNOWN_TYPE |
-1765328204L |
Unknown key table type |
Check the cifs setup or nfs setup using Windows KDC; capture the network traces between the filer and KDC during the cifs/nfs setup |
KRB5_KT_NOTFOUND |
-1765328203L |
Key table entry not found |
Capture the network traces and verify the ap-req principal is available in key tab file or not. |
KRB5_KT_END |
-1765328202L |
End of key table reached |
Capture the network traces and verify the ap-req principal is available in key tab file or not. |
KRB5_KT_NOWRITE |
-1765328201L |
Cannot write to the specified key table |
Verify the number of memory key tab entries; it should be less than 64. |
KRB5_KT_IOERR |
-1765328200L |
Error writing to key table |
Verify the ,give the configured default_keytab_name' in the |
KRB5_NO_TKT_IN_RLM |
-1765328199L |
Cannot find the ticket for the requested realm |
Capture the network traces between the filer and Windows/UNIX KDC. If the ticket is not found, add the proper principals and regenerate the tickets. |
KRB5DES_BAD_KEYPAR |
-1765328198L |
DES key has bad parity |
Checksum verification failed; retry the mount operation with the newly generated key tab files. |
KRB5DES_WEAK_KEY |
-1765328197L |
DES key is a weak key |
Checksum verification failed; retry the mount operation with the newly generated key tab files. |
KRB5_BAD_ENCTYPE |
-1765328196L |
Bad encryption type |
ONTAP 7G/7M will support only DES-CBC-CRC and DES-CBC-MD5. While generating key tabs using add_principal/ktpass, use the encryption type DES only. |
KRB5_BAD_KEYSIZE |
-1765328195L |
Key size is incompatible with the encryption type |
Key size validation failed during checksum validation. Capture the network traces and verity the error and generate the new tickets with the proper encryption type. |
KRB5_BAD_MSIZE |
-1765328194L |
Message size is incompatible with the encryption type |
Message size validation failed during check sum verification. Capture the network traces and verity the error and generate the new tickets with the proper encryption type. |
KRB5_CC_TYPE_EXISTS |
-1765328193L |
Credentials cache type is already registered |
Check the cifs setup or nfs setup using Windows KDC; capture the network traces between the filer and KDC during the cifs/nfs setup, Capture the network traces between the filer and KDC during the cifs/nfs setup |
KRB5_KT_TYPE_EXISTS |
-1765328192L |
Key table type is already registered |
Check the cifs setup or nfs setup using Windows KDC; capture the network traces between the filer and KDC during the cifs/nfs setup |
KRB5_CC_IO |
-1765328191L |
Credentials cache I/O operation failed |
Check the cifs setup or nfs setup using Windows KDC; capture the network traces between the filer and KDC during the cifs/nfs setup |
KRB5_FCC_PERM |
-1765328190L |
Credentials cache file permissions incorrect |
Check the cifs setup or nfs setup using Windows KDC; capture the network traces between the filer and KDC during the cifs/nfs setup |
KRB5_FCC_NOFILE |
-1765328189L |
No credentials cache file found |
Check the cifs setup or nfs setup using Windows KDC; capture the network traces between the filer and KDC during the cifs/nfs setup |
KRB5_FCC_INTERNAL |
-1765328188L |
Internal file credentials cache error |
Check the cifs setup or nfs setup using Windows KDC; capture the network traces between the filer and KDC during the cifs/nfs setup |
KRB5_CC_WRITE |
-1765328187L |
Error writing to credentials cache file |
Check the cifs setup or nfs setup using Windows KDC; capture the network traces between the filer and KDC during the cifs/nfs setup |
KRB5_CC_NOMEM |
-1765328186L |
No more memory to allocate in the credentials cache code |
Verify the filer memory statistics. |
KRB5_CC_FORMAT |
-1765328185L |
Bad format in the credentials cache |
Check the cifs setup or nfs setup using Windows KDC. Capture the network traces between the filer and KDC during the cifs/nfs setup. |
KRB5_INVALID_FLAGS |
-1765328184L |
Invalid KDC option combination, which is an internal library error |
Nothing to do with ONTAP kernel. |
KRB5_NO_2ND_TKT |
-1765328183L |
Request missing second ticket |
Check the cifs setup or nfs setup using Windows KDC. Capture the network traces between the filer and KDC during the cifs/nfs setup. |
KRB5_NOCREDS_SUPPLIED |
-1765328182L |
No credentials supplied to library routine |
Nothing to do with ONTAP kernel. |
KRB5_SENDAUTH_BADAUTHVERS |
-1765328181L |
Bad sendauth version was sent |
Check the cifs setup or nfs setup using windows kdc, Capture the network traces between the filer and KDC during the cifs/nfs setup. |
KRB5_SENDAUTH_BADAPPLVERS |
-1765328180L |
Bad application version was sent by sendauth |
Check the cifs setup or nfs setup using windows KDC. Capture the network traces between the filer and KDC during the cifs/nfs setup. |
KRB5_SENDAUTH_BADRESPONSE |
-1765328179L |
Bad response during sendauth exchange |
Check the cifs setup or nfs setup using Windows KDC, Capture the network traces between the filer and KDC during the cifs/nfs setup. |
KRB5_SENDAUTH_REJECTED |
-1765328178L |
Server rejected authentication during sendauth exchange |
Check the cifs setup or nfs setup using Windows KDC. Capture the network traces between the filer and KDC during the cifs/nfs setup. |
KRB5_PREAUTH_BAD_TYPE |
-1765328177L |
Unsupported pre-authentication type |
Check the cifs setup or nfs setup using Windows KDC. Capture the network traces between the filer and KDC during the cifs/nfs setup. |
KRB5_PREAUTH_NO_KEY |
-1765328176L |
Required pre-authentication key not supplied |
Check the cifs setup or nfs setup using Windows KDC. Capture the network traces between the filer and KDC during the cifs/nfs setup. |
KRB5_PREAUTH_FAILED |
-1765328175L |
Generic pre-authentication failure |
Check the cifs setup or nfs setup using Windows KDC. Capture the network traces between the filer and KDC during the cifs/nfs setup. |
KRB5_RCACHE_BADVNO |
-1765328174L |
Unsupported format version number for replay cache |
Try by disabling the Kerberos reply cache option. |
KRB5_CCACHE_BADVNO |
-1765328173L |
Unsupported credentials cache format version number |
Check the cifs setup or nfs setup using windows kdc, Capture the network traces between the filer and KDC during the cifs/nfs setup. |
KRB5_KEYTAB_BADVNO |
-1765328172L |
Unsupported key table format version number |
Capture the network traces and verify the ap-req key version in the key tab file. Both should have same key version number. |
KRB5_PROG_ATYPE_NOSUPP |
-1765328171L |
Program lacks support for address type |
Received invalid IP address type, check the client side configuration. |
KRB5_RC_REQUIRED |
-1765328170L |
Message replay detection requires rcache parameter |
Try disabling the Kerberos reply cache option. |
KRB5_ERR_BAD_HOSTNAME |
-1765328169L |
Host name cannot be canonicalized |
Hostname to IP address resolution failed. Verify the name server resolution. |
KRB5_ERR_HOST_REALM_UNKNOWN |
-1765328168L |
Cannot determine the realm for the host |
Configure the default realm. |
KRB5_SNAME_UNSUPP_NAMETYPE |
-1765328167L |
Conversion to service principal is undefined for the name type |
ONTAP has taken care and is always setting the proper type. |
KRB5_REALM_CANT_RESOLVE |
-1765328165L |
Cannot resolve KDC for requested realm |
Check the configured KDC details. |
KRB5_TKT_NOT_FORWARDABLE |
-1765328164L |
The requesting ticket cannot get the forwardable tickets |
Nothing to do with ONTAP Kernel. |
KRB5_FWD_BAD_PRINCIPAL |
-1765328163L |
Bad principal name while trying to forward credentials |
Check the cifs setup or nfs setup using Windows KDC. Capture the network traces between the filer and KDC during the cifs/nfs setup. |
KRB5_GET_IN_TKT_LOOP |
-1765328162L |
Looping detected inside krb5_get_in_tkt |
Check the cifs setup or nfs setup using Windows KDC. Capture the network traces between the filer and KDC during the cifs/nfs setup. |
KRB5_CONFIG_NODEFREALM |
-1765328161L |
Configuration file |
Configure the default realm name in libdefaults section in the |
KRB5_SAM_UNSUPPORTED |
-1765328160L |
Bad SAM flags in obtain_sam_padata |
|
KRB5_KT_NAME_TOOLONG |
-1765328159L |
Key tab name too long |
Configure proper key tab name in the |
KRB5_KT_KVNONOTFOUND |
-1765328158L |
Key version number for principal in key table is incorrect |
Capture the network traces and verify the key version number. ap_req kvno should be same as with the key tab file.
|
Additional Information
Add your text here.