| 2502-000 | kdestroy: No tickets to destroy. |
Explanation: You issued the command when there was no ticket cache file. Perhaps the KRBTKFILE environment variable is set to the name of a nonexistent file.
User Response: Check the setting of the environment variable.
| 2502-001 | kdestroy: Tickets NOT destroyed. |
Explanation: An error occurred when the command tried to delete the ticket cache file.
User Response: Gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2502-002 | kinit: k_gethostname did not succeed. |
Explanation: The command was unable to get the systems hostname.
User Response: Check that the system hostname is properly set by issuing the hostname command. If it is returned correctly, gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2502-003 | kinit: Incorrect Kerberos V4 name format. |
Explanation: The principal name you entered was longer than 40 characters or contained the characters '.' or '@'.
User Response: Reissue the command, entering a valid name when prompted.
| 2502-004 | kinit: Incorrect Kerberos V4 instance format. |
Explanation: The instance name you entered was longer than 40 characters or contained the characters '.' or '@'.
User Response: Reissue the command, entering a valid instance when prompted. Press the Enter key to enter a null instance name.
| 2502-005 | kinit: Incorrect Kerberos V4 realm format. |
Explanation: The realm name you entered was longer than 40 characters or contained the '@' character.
User Response: Reissue the command, entering a valid realm name when prompted.
| 2502-006 | kinit: krb_get_lrealm did not succeed. |
Explanation: The command was unable to identify the local realm.
User Response: Check that the first line of the /etc/krb.conf file contains the local realm name. If the file is missing or incorrect, fix it. If not, gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2502-007 | klist: Can't find realm of ticket file: file name |
Explanation: The realm name of the principal who holds the tickets in the ticket cache file being listed cannot be found in the ticket file. The file is probably corrupted, or KRBTKFILE is set to the name of a file that is not a ticket cache file.
User Response: You will probably have to reissue the kinit command to establish a valid ticket.
| 2502-008 | File error file name error_message |
Explanation: The server key file could not be opened. To list the contents of the default key file, you must be the root user.
User Response: Take whatever action is appropriate for the specific error indicated by the error-text.
| 2502-009 | klist: Error reading from key file: error-text |
Explanation: The read system call returned an error, when the command tried to obtain the service key information.
User Response: Take whatever action is appropriate for the specific error indicated by the error-text.
| 2502-010 | klist: Key file truncated. |
Explanation: Attempting to list the service keys in a server key file, the data was found to be incomplete.
User Response: Check that the file specified is a service key file. Try the ksrvutil list command as an alternative. If it works, gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2502-013 | kpasswd: Incorrect name: principal-name |
Explanation: You entered a nonexistent principal name in reply to a prompt.
User Response: Reissue the command, and enter a correct principal when prompted.
| 2502-014 | kpasswd: Incorrect instance: instance-name |
Explanation: You entered a nonexistent instance name in reply to a prompt.
User Response: Reissue the command, and enter a correct instance when prompted.
| 2502-015 | kpasswd: Incorrect realm: realm-name |
Explanation: You entered a nonexistent realm name in reply to a prompt.
User Response: Reissue the command, and enter a correct realm when prompted.
| 2502-016 | kpasswd: Password NOT changed. |
Explanation: An error occurred in attempting to change the password. See the preceding error message for more detailed information.
User Response: None
| 2502-017 | kpasswd: Error reading old password. |
Explanation: The command could not read the old password from stdin. Perhaps you cancelled the input using Ctrl-C.
User Response: Reissue the command if you wish to try again.
| 2502-018 | kpasswd: Error reading new password; password unchanged. |
Explanation: The command could not read the new password from stdin. Perhaps you cancelled the input using Ctrl-C.
User Response: Reissue the command if you wish to try again.
| 2502-019 | ksrvutil: Error reading password. |
Explanation: The command could not read the password from stdin. Perhaps you cancelled the input using Ctrl-C.
User Response: Reissue the command if you wish to try again.
| 2502-020 | ksrvutil: Unable to create file name error-text |
Explanation: The system returned the indicated error when the command tried to create a server key file or a temporary work file.
User Response: Take action appropriate to the specific error indicated.
| 2502-021 | ksrvutil: Error reading file name error-text |
Explanation: The system returned the indicated error when the command tried to read a file.
User Response: Take action appropriate to the specific error indicated.
| 2502-022 | ksrvutil: Error writing file name error-text |
Explanation: The system returned the indicated error when the command tried to write the file.
User Response: Take action appropriate to the specific error indicated.
| 2502-023 | ksrvutil: Error closing file name error-text |
Explanation: The system returned the indicated error when the command tried to close a file. Perhaps there is a file system space problem.
User Response: Take action appropriate to the specific error indicated.
| 2502-024 | ksrvutil: Unable to open file name for append: error-text |
Explanation: The system returned the indicated error when the command tried to append to a server key file or a temporary work file.
User Response: Take action appropriate to the specific error indicated.
| 2502-025 | ksrvutil: Unable to revert keyfile: file name |
Explanation: The command tried to restore the backup copy of the server key file after a failure, but could not.
User Response: Follow the procedures for recreating the server key file.
| 2502-026 | ksrvutil: Error renaming workfile to keyfile: error-text |
Explanation: The system returned the indicated error when the command tried to rename a file.
User Response: Take action appropriate to the specific error indicated.
| 2502-027 | ksrvutil: In-progress srvtab in this file. |
Explanation: You attempted to update a server key file while it was locked by another process.
User Response: Wait until other updates are done, then reissue the command.
| 2502-028 | add_principal: Cannot obtain local realm name, use the -r option. |
Explanation: The command could not read the local realm name from the authentication configuration file: /etc/krb.conf.
User Response: You can circumvent the problem by reissuing the command with the -r realm option to explicitly name the local realm. However, you should also fix the file to prevent further authentication problems.
| 2502-029 | add_principal: Userid is not in the system password file. |
Explanation: The getpwuid() system call was unable to return your user login name to the command.
User Response: Gather information about the problem and follow local site procedures for reporting hardware and software problems.
| 2502-030 | add_principal: Cannot get an admin ticket and the -n option was specified |
Explanation: You specified with the -n flag on the command, that you want to use an existing ticket-granting-ticket for an admin principal, rather than have the command prompt you for a password. No such ticket, could be found.
User Response: Issue the k4list command to check your tickets. Perhaps you need to set the KRBTKFILE environment variable to point to an existing ticket cache file. If no ticket cache file exists, issue the kinit command to identify yourself using an admin principal name,
| 2502-031 | add_principal: Cannot read admin password. |
Explanation: The command was unable to read the admin password from stdin. When an a ticket does not already exist, and when you do not specify the -n flag on the command-line, add_principal prompts you for the password for the principal named your-login-name.admin
User Response: Enter the correct password when prompted.
| 2502-032 | add_principal: Principal your-login-name.admin@realm-name does not exist. |
Explanation: You attempted to add principals to the authentication database, but you are not defined as an administrator of the database.
User Response: Have an authorized authentication database administrator perform this task, or define an admin principal for you.
| 2502-033 | add_principal: Incorrect admin password. |
Explanation: The password you entered in reply to the prompt was incorrect.
User Response: Retry the command; enter your correct admin authentication password.
| 2502-034 | add_principal: The file file name does not exist |
Explanation: You probably misspelled the name of the input file.
User Response: Reissue the command with the correct name.
| 2502-035 | add_principal: Insufficient access to read file file name |
Explanation: You do not have read access to the input file you named. It could be the wrong file or you are not authorized to access it.
User Response: Reissue the command with the correct file name, if wrong. Otherwise, have the file owner authorize you to access it.
| 2502-036 | add_principal: Error opening file file name |
Explanation: The command could not open the input file you specified to read the principal names and passwords.
User Response: Retry the command with the correct file.
| 2502-037 | add_principal: principal-name already exists in database. |
Explanation: The input file you used contained the name of an already-defined principal. The request to add it again is ignored.
User Response: None.
| 2502-038 | add_principal: principal-name not added to database, error setting password |
Explanation: The authentication database administration server could not set the password for the principal. You may not be properly authorized in the administration servers access control list.
In order to add principals, your an entry of the form your-login-name.admin must be in the file /var/kerberos/database/admin_acl.add on the primary server.
User Response: Check the access control list for a missing or misspelled entry. If wrong, correct it and reissue the failing command.
| 2502-039 | add_principal: principal-name not added, realm name cannot be changed. |
Explanation: The realm name you specified with the -r option, or the local realm name if you omitted the option, is different than a realm name that is included explicitly in the name of a principal to be added. The command can add principals to only one realm at a time.
User Response: Correct the realm name, if it is incorrectly specified on the command line or in the file. If you need to add principals to different realms, create separate files and issue the add_principal command once for each realm.
| 2502-040 | add_principal: Null passwords are not allowed |
Explanation: The command found an principal listed in the input file without a password.
User Response: Each principal to be added must be assigned an initial password. Correct the input file and reissue the command.
| 2502-041 | You aren't in the password file. Who are you? |
Explanation: The command could not verify your identity as an AIX user.
User Response: Check for corrupted system files.
| 2502-042 | Error reading admin password. |
Explanation: The command was unable to read your admin password from stdin.
User Response: Report this as a system problem through your local problem reporting procedures.
| 2502-043 | Error reading password; password unchanged. |
Explanation: The command was unable to read the new password from stdin.
User Response: Report this as a system problem through your local problem reporting procedures.
| 2502-044 | Principal principal does not exist. |
Explanation: The principal name you specified was not found in the authentication database. You may have incorrectly specified the name.
User Response: If you misspelled the principal or realm, retry the command. Otherwise, use the kdb_util dump command to determine the content of the database.
| 2502-045 | Error reading password; principal not added. |
Explanation: The command was unable to read the new password from stdin.
User Response: Report this as a system problem through your local problem reporting procedures.
| 2502-046 | Principal already exists. |
Explanation: The principal name you specified is already in the authentication database. You may have incorrectly specified the principal or realm.
User Response: If you misspelled the principal or realm, retry the command. Otherwise, use the kdb_util dump command to determine the content of the database.
| 2502-047 | Incorrect admin password. |
Explanation: You specified the wrong password for your admin instance.
User Response: Retry the command, entering the correct password when prompted.
| 2502-048 | Unable to obtain the authentication mechanism on local host. |
Explanation: The authentication method for this host could not be found.
User Response: Record the above information and contact the IBM Support Center.
| 2502-050 | Unable to obtain local hostname. |
Explanation: The system returned an error when the command tried to get the local hostname.
User Response: Record the above information and contact the IBM Support Center.
| 2502-051 | Unable to obtain name of local realm. |
Explanation: The command was unable to identify the local realm.
User Response: Check that the first line of the /etc/krb.conf file contains the local realm name. If the file is missing or in error, correct it. If not, record the above information and contact the IBM Support Center.
| 2502-052 | Error getting service ticket for rcmd: error-string. |
Explanation: Kerberos reported the error stated in the message.
User Response: See the information for the specified Kerberos error message.
| 2502-053 | Error reading stdin: error-string. |
Explanation: The command could not read from stdin. Perhaps you cancelled the input using Ctrl --C.
User Response: Enter the command again.
| 2502-054 | The KRBTKFILE environment variable was not set prior to issuing this command. |
Explanation: rcmdtgt and ksrvtgt are intended for use by scripts running in the background as root, such as at boot time, under the Sysctl daemon, or as a cron job. They must not inadvertently destroy the root user's default K4 credential cache. One of the following applies:
User Response: For a programming error, follow normal problem reporting procedures. Otherwise, set KRBTKFILE to the pathname of an alternate ticket cache file and enter the command again.
| 2502-600 | An error occurred getting a hostname: error-text. |
Explanation: A gethostbyname or gethostbyaddr system call was not successful.
User Response: Follow normal problem reporting procedures.
| 2502-601 | No DCE security server is available. |
Explanation: The DCE security server could not be contacted because it terminated abnormally or has been shut down by the administrator.
User Response: Check with the system administrator, who must restart a DCE security server in order for you to complete the original request. If you cannot resolve the problem, follow normal problem reporting procedures.
| 2502-602 | Your DCE login context has expired. |
Explanation: Your request was denied access by a server, and you have an expired DCE login context, so it is impossible for the client to obtain DCE credentials. Authorization may have been denied because no valid DCE credentials were provided by the client.
User Response: Check the access control policy on the server that denied the request, to see if you would have been allowed access with valid DCE credentials. If so, you must use dce_login before retrying the request. If you cannot resolve the problem, follow normal problem reporting procedures.
| 2502-603 | You do not have authentication-method credentials. |
Explanation: Your request was denied access by a server, and you have not logged into DCE or Kerberos V4, so the client cannot obtain the specified credentials. Authorization may have been denied because no valid credentials were provided by the client.
User Response: Check the access control policy on the server that denied the request to see if you would have been allowed access with valid credentials. If so, you must use dce_login or k4init before retrying the request. If you cannot resolve the problem, follow normal problem reporting procedures.
| 2502-604 | Unable to determine the active authentication methods. |
Explanation: This information could not be read from file /spdata/sys1/spsec/auth_methods. This is probably a system error.
User Response: Follow normal problem reporting procedures.
| 2502-605 | Your authentication-method credentials have expired. |
Explanation: Your request was denied access by a server, and you have DCE or Kerberos V4 credentials that have expired. Authorization may have been denied because no valid credentials were provided by the client.
User Response: Check the access control policy on the server that denied the request to see if you would have been allowed access with current credentials. If so, you must use dce_login or k4init before retrying the request. If you cannot resolve the problem, follow normal problem reporting procedures.
| 2502-606 | DCE error in DCE-function : error string. |
Explanation: A DCE function returned an error.
User Response: If you cannot resolve the problem, follow normal problem reporting procedures.
| 2502-607 | GSSAPI error in GSSAPI-function : error string. |
Explanation: The DCE GSSAPI function returned an error.
User Response: If you cannot resolve the problem, follow normal problem reporting procedures.
| 2502-608 | Kerberos V4 error in Kerberos-function : error-string. |
Explanation: The Kerberos V4 function returned an error.
User Response: If you cannot resolve the problem, follow normal problem reporting procedures.
| 2502-609 | A specified object was not found in the ACL database: object name. |
Explanation: A request was made to security services to locate an object that does not exist. There may be a programming error in the calling program..
User Response: If the object name was specified as a command operand by a user, verify that it was entered correctly. If incorrect, retry the request using the correct name. Otherwise, follow normal problem reporting procedures.
| 2502-610 | The server's login context cannot be validated. |
Explanation: The login context was validated by local data rather than the security server.
User Response: Verify that the security server is functioning properly, and try the request again. If you cannot resolve the problem, follow normal problem reporting procedures.
| 2502-611 | An argument is missing or not valid. |
Explanation: A request was made to security services with missing or incorrect arguments. There is a programming error in the calling program.
User Response: Record the above information and contact the IBM Support Center.
| 2502-612 | DCE is not running on this host. |
Explanation: The command was not successful because DCE is not running.
User Response: Check with your system administrator.
| 2502-613 | Out of memory. |
Explanation: The function could not complete because the process is out of memory.
User Response: If you cannot resolve the problem, record the above information and contact the IBM Support Center.
| 2502-614 | A server may not delete its initial object. |
Explanation: The function could not complete because the object specified for deletion is the server's initial object, which is not allowed. There is a programming error in the calling program.
User Response: Follow normal problem reporting procedures.
| 2502-615 | The object specified as containing the new object is not a container: container name. |
Explanation: A security services request to create an object specified a container object that is not valid. There is a programming error in the calling program.
User Response: Follow normal problem reporting procedures.
| 2502-616 | A specified pathname is not valid. pathname. |
Explanation: A security services function was requested using a pathname that is not valid. There is a programming error in the calling program.
User Response: Follow normal problem reporting procedures.
| 2502-617 | An ACL manager is required, but none was started. |
Explanation: A server invoked a Security Services ACL management function without initiating ACL management. There is a programming error in the calling program.
User Response: Follow normal problem reporting procedures.
| 2502-618 | The required keyfile was not found: keyfile -- pathname. |
Explanation: The keyfile containing the key for a trusted service was not found. Either it was removed, or the configuration task to create the keyfile was not successful or was never performed.
User Response:
| 2502-619 | A security context is required but none exists. |
Explanation: A security services function was requested without first establishing a DCE security context between client and server. There is a programming error in the calling program.
User Response: Follow normal problem reporting procedures.
| 2502-620 | The security services environment is damaged. |
Explanation: A security services function cannot proceed because the state information for the process is no longer valid. There is an internal programming error in the calling program.
User Response: Record the above information and contact the IBM Support Center.
| 2502-621 | An ioctl system call was not successful: error-text . |
Explanation: A security services function failed, because an AIX ioctl system call failed.
User Response: If you cannot resolve the problem, record the above information and contact the IBM Support Center.
| 2502-622 | A specified permission set was not valid. |
Explanation: A security services function failed, because the permission set specified for an ACL-object was not valid. There is a programming error in the calling program.
User Response: Follow normal problem reporting procedures.
| 2502-623 | A specified DCE group does not exist.group. |
Explanation: A security services function was requested using a group name that is not valid. There is a programming error in the calling program or in the configuration files.
User Response: If you cannot resolve the problem, follow normal problem reporting procedures.
| 2502-624 | A security services configuration file contains erroneous data.filename -- line number |
Explanation: The spsec_defaults file may have been overwritten, or incorrect information was placed into the spsec_overrides file.
User Response: If you cannot resolve the problem, record the above information and contact the IBM Support Center.
| 2502-625 | A specified service name does not exist. service. |
Explanation: A Security Services function was requested using a service name that is not valid. There is a programming error in the calling program or the spsec_defaults file contains data that is not valid.
User Response: If you cannot resolve the problem, record the above information and contact the IBM Support Center.
| 2502-626 | A security services environment is required but none exists. |
Explanation: A security Services function was requested without first establishing a security services environment. There is a programming error in the calling program.
User Response: Follow normal problem reporting procedures..
| 2502-627 | The object to be created already exists. object. |
Explanation: A request was made to security services to create an object that already exists. There may be a programming error in the calling program.
User Response: If the object name was specified as a command operand by a user, verify that it was correctly entered. If not, retry the request using the correct name. If so, follow normal problem reporting procedures.
| 2502-628 | A socket system call was unsuccessful: error-text . |
Explanation: A security services function failed, because an AIX socket system call failed.
User Response: If you cannot resolve the problem, record the above information and contact the IBM Support Center.
| 2502-629 | The server's ACL database is damaged. |
Explanation: The DCE ACL database files do not contain valid data. Some outside environmental factor may have caused the files to be overwritten or a programming error may have occurred.
User Response: If you cannot resolve the problem, record the above information and contact the IBM Support Center.
| 2502-630 | Could not obtain SDR data: SDR-function: errot text. |
Explanation: The Syspar object could not be read for a system partition. Check the integrity of the SDR files.
User Response: If you cannot resolve the problem, record the above information and contact the IBM Support Center.
| 2502-631 | The client credentials do not support delegation. |
Explanation: The credentials passed by the client cannot be delegated.
User Response: If you cannot resolve the problem, record the above information and contact the IBM Support Center.
| 2502-632 | You specified value more than once. |
Explanation: This command flag or operand may only be specified once.
User Response: Enter the command again using the correct syntax.
| 2502-633 | The specified partition does not exist. |
Explanation: A security services function could not complete because the partition was not correctly specified, either as an argument or using the SP_NAME environment variable.
User Response: Check SP_NAME and correct it if it is wrong. If you cannot resolve the problem, contact the IBM Support Center.
| 2502-634 | You specified the authentication methods in an incorrect order. |
Explanation: The authentication methods you specified must be entered in a required order. See the usage statement and the man page for an explanation of the restrictions in the use of program name.
User Response: Enter the command again using the correct syntax.
| 2502-635 | You specified the wrong number of command operands. |
Explanation: You specified an incorrect number of operands that are valid for this command. See the usage statement.
User Response: Enter the command again using the correct syntax.
| 2502-636 | A specified DCE principal does not exist. principal. |
Explanation: A security services function was requested using a DCE principal name that is not valid. There is an internal programming error in the calling program or the user supplied an incorrect name.
User Response: If the error resulted because you supplied an incorrect name, retry the request using the correct name. Otherwise, record the above information and contact the IBM Support Center.
| 2502-637 | You are not authorized to use this command. |
Explanation: You must be root to change the active authentication methods.
User Response: None.
| 2502-638 | method is not a valid trusted services authentication method. |
Explanation: You specified a command operand that is not a valid authentication method.
User Response: Enter the command again using the correct syntax.
| 2502-639 | subroutine was unsuccessful on file filepath. error text. |
Explanation: The program was unable to access the authentication method setting. The indicated system function was not successful. See the error text for more information.
User Response: Contact the IBM Support Center.
| 2502-640 | File filename does not contain valid data. |
Explanation: The program could not determine the active authentication methods because the data obtained from the file is not in the correct format.
User Response: Issue the lsauthpts command to determine the correct setting, then issue the chauthts command to store valid data in the file. If you cannot resolve the problem, contact the IBM Support Center.
| 2502-641 | command is not valid because required software is not installed and configured on this host. |
Explanation: The command was not successful because the required software support for the method is not installed on this host. In order to activate DCE, you must have installed and configured DCE 2.2 for AIX. In order to activate the compatibility method, you must have configured Kerberos Version 4.
User Response: Install and configure the required software and enter the command again.
| 2502-642 | The trusted services authentication methods have not been set on this host; use the chauthts or chauthpts command as appropriate. |
Explanation: The program was unable to access the authentication method setting stored in file /spdata/sys1/spsec/auth_methods. The file does not exist.
User Response: Use the chauthpts command, if you receive this message on an
installed SP node or the control workstation. When installing the
control workstation for a new SP system or on a stand-alone system, use the
chauthts command.