Wednesday Mar 12, 2008

GSS-API error : An invalid status code was supplied during first start of Kerberos service

I am a bit perplexed by this problem that is noticed only in solaris 10u3.  When I configure Kerberos in a cluster and enable the HA kerberos service, the start method exits successfully.  If I immediately try to access the service with a 

#kadmin -p kws/admin

it hangs!!

The /var/adm/messages have the following error messages:

 kadmin[8045]: [ID 824607 user.error] GSS-API error : An invalid status code was supplied
 kadmin[8045]: [ID 824607 user.error] GSS-API error : An invalid status code was supplied
 kadmin[8045]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
 kadmin[8045]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
 kadmin[8045]: [ID 824607 user.error] GSS-API error : An invalid status code was supplied
 kadmin[8045]: [ID 824607 user.error] GSS-API error : Unknown code 96
 kadmin[8045]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
 kadmin[8045]: [ID 824607 user.error] GSS-API error : Unknown code 96

**sometimes the return code is 204 

The /var/krb5/kdc.log doesn't show any error:

krb5kdc[8008](info): listening on fd 7: tcp ::.88 port 88
krb5kdc[8008](info): set up 8 sockets
krb5kdc[8015](info): commencing operation
krb5kdc[8015](info): AS_REQ xxx(0): NEEDED_PREAUTH: kws/admin@xxx for kadmin/x@xxx, Additional pre-authentication required
krb5kdc[8015](info): AS_REQ xxx(0): ISSUE:
authtime 1205265961, kws/admin@xxx for kadmin/xxx@xxx

The problem seems to be due to delayed start of the kadmind:

kadmind[8013](info): starting
krb5kdc[8015](info): AS_REQ xxx(0): NEEDED_PREAUTH: sckrb5-probe/admin@xxx for kadmin/xxx@xxx, Additional pre-authentication required
krb5kdc[8015](info): AS_REQ xxx(0): ISSUE:
authtime 1205266244, sckrb5-probe/admin@xxx for kadmin/xxx@xxx

I have logged the following bug for the issue which is still open:

Synopsis:
kadmin -p kws/admin fails for first few tries immediately after resource is brought online 1st time

Bug ID: 6492372 |
Category: suncluster:ha-kerberos |
State: 3-Accepted |
Keywords: |
Reported: 10-NOV-2006 |
Reported against:

3.2_72




Last Updated: 06-JUL-2007

If you happen to be an expert in Kerberos and want to try your hand at fixing the bug, sign up for OHAC community @ http://cs.opensolaris.org/os/community/ha-clusters/.

Posted on: Mar 12, 2008

Posted by: maddy

Category: SunCluster

Tags:

Permanent link to this entry | Comments [0]

Friday Feb 01, 2008

Core dump when executing kdb5_util create command in Nevada

I the nevada builds before 82, if the /etc/krb5/krb5.conf file is misconfigured, executing kdb5_util create command encounters a SIGSEGV and dumps core.  This  issue is fixed in b82.

 The most likely cause in my opinion is the comments in the krb5.conf file.  Just a run a check if a delimiter or required directive is commented out. 

 

Posted on: Feb 01, 2008

Posted by: maddy

Category: Sun

Tags:

Permanent link to this entry | Comments [3]

This blog copyright 2009 by maddy