GSS-API error : An invalid status code was supplied during first start of Kerberos service

I am a bit perplexed by this problem that is noticed only in solaris 10u3.  When I configure Kerberos in a cluster and enable the HA kerberos service, the start method exits successfully.  If I immediately try to access the service with a 

#kadmin -p kws/admin

it hangs!!

The /var/adm/messages have the following error messages:

 kadmin[8045]: [ID 824607 user.error] GSS-API error : An invalid status code was supplied
 kadmin[8045]: [ID 824607 user.error] GSS-API error : An invalid status code was supplied
 kadmin[8045]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
 kadmin[8045]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
 kadmin[8045]: [ID 824607 user.error] GSS-API error : An invalid status code was supplied
 kadmin[8045]: [ID 824607 user.error] GSS-API error : Unknown code 96
 kadmin[8045]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
 kadmin[8045]: [ID 824607 user.error] GSS-API error : Unknown code 96

**sometimes the return code is 204 

The /var/krb5/kdc.log doesn't show any error:

krb5kdc[8008](info): listening on fd 7: tcp ::.88 port 88
krb5kdc[8008](info): set up 8 sockets
krb5kdc[8015](info): commencing operation
krb5kdc[8015](info): AS_REQ xxx(0): NEEDED_PREAUTH: kws/admin@xxx for kadmin/x@xxx, Additional pre-authentication required
krb5kdc[8015](info): AS_REQ xxx(0): ISSUE:
authtime 1205265961, kws/admin@xxx for kadmin/xxx@xxx

The problem seems to be due to delayed start of the kadmind:

kadmind[8013](info): starting
krb5kdc[8015](info): AS_REQ xxx(0): NEEDED_PREAUTH: sckrb5-probe/admin@xxx for kadmin/xxx@xxx, Additional pre-authentication required
krb5kdc[8015](info): AS_REQ xxx(0): ISSUE:
authtime 1205266244, sckrb5-probe/admin@xxx for kadmin/xxx@xxx

I have logged the following bug for the issue which is still open:

Synopsis:
kadmin -p kws/admin fails for first few tries immediately after resource is brought online 1st time

Bug ID: 6492372 |
Category: suncluster:ha-kerberos |
State: 3-Accepted |
Keywords: |
Reported: 10-NOV-2006 |
Reported against:

3.2_72




Last Updated: 06-JUL-2007

If you happen to be an expert in Kerberos and want to try your hand at fixing the bug, sign up for OHAC community @ http://cs.opensolaris.org/os/community/ha-clusters/.

Posted on: Mar 12, 2008

Posted by: maddy

Category: SunCluster

Tags:

Permanent link to this entry

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed

This blog copyright 2009 by maddy