Gssapi Error Codes
Contents |
Validation error G_BUFFER_ALLOC: Couldn't allocate gss minor error codes gss_buffer_t data G_BAD_MSG_CTX: Message context invalid G_WRONG_SIZE: gssapi minor status codes Buffer is the wrong size G_BAD_USAGE: Credential usage type is
Gss Api
unknown G_UNKNOWN_QOP: Unknown quality of protection specified G_BAD_HOSTNAME: Hostname in SERVICE-NAME string could not be canonicalized G_WRONG_MECH: Mechanism is incorrect G_BAD_TOK_HEADER: Token header is malformed or corrupt G_BAD_DIRECTION: Packet was replayed in wrong direction G_TOK_TRUNC: Token is missing data G_REFLECT: Token was reflected G_WRONG_TOKID: Received token ID does not match expected token ID Kerberos 5 GSSAPI Errors: KG_CCACHE_NOMATCH: Principal in credential cache does not match desired name KG_KEYTAB_NOMATCH: No principal in keytab matches desired name KG_TGT_MISSING: Credential cache has no TGT KG_NO_SUBKEY: Authenticator has no subkey KG_CONTEXT_ESTABLISHED: Context is already fully established KG_BAD_SIGN_TYPE: Unknown signature type in token KG_BAD_LENGTH: Invalid field length in token KG_CTX_INCOMPLETE: Attempt to use incomplete security context KG_CONTEXT: Bad magic number for krb5_gss_ctx_id_t KG_CRED: Bad magic number for krb5_gss_cred_id_t KG_ENC_DESC: Bad magic number for krb5_gss_enc_desc KG_BAD_SEQ: Sequence number in token is corrupt KG_EMPTY_CCACHE: Credential cache is empty KG_NO_CTYPES: Acceptor and Initiator share no checksum types
status codes. 3.4.1 GSS status codes GSS-API routines return GSS status codes as their OM_uint32 function value. These codes indicate errors that are independent of the underlying mechanism(s) used to provide the security service. The errors that can be indicated via a GSS status code are either generic API routine errors (errors that are defined in the GSS-API specification) or calling errors (errors that are specific to these language bindings). A GSS status code can indicate a single fatal generic API error from the routine and a single calling error. In addition, supplementary status information may be indicated via the setting of http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/GSSAPI-Error-Codes.html bits in the supplementary info field of a GSS status code. These errors are encoded into the 32-bit GSS status code as follows: MSB LSB |------------------------------------------------------------| | Calling Error | Routine Error | Supplementary Info | |------------------------------------------------------------| Bit 31 24 23 16 15 0 Hence if a GSS-API routine returns a GSS status code whose upper 16 bits contain a non-zero value, the call failed. If the calling https://www.gnu.org/software/gss/manual/html_node/Error-Handling.html error field is non-zero, the invoking application’s call of the routine was erroneous. Calling errors are defined in table 3-1. If the routine error field is non-zero, the routine failed for one of the routine- specific reasons listed below in table 3-2. Whether or not the upper 16 bits indicate a failure or a success, the routine may indicate additional information by setting bits in the supplementary info field of the status code. The meaning of individual bits is listed below in table 3-3. Table 3-1 Calling Errors Name Value in field Meaning ---- -------------- ------- GSS_S_CALL_INACCESSIBLE_READ 1 A required input parameter could not be read GSS_S_CALL_INACCESSIBLE_WRITE 2 A required output parameter could not be written. GSS_S_CALL_BAD_STRUCTURE 3 A parameter was malformed Table 3-2 Routine Errors Name Value in field Meaning ---- -------------- ------- GSS_S_BAD_MECH 1 An unsupported mechanism was requested GSS_S_BAD_NAME 2 An invalid name was supplied GSS_S_BAD_NAMETYPE 3 A supplied name was of an unsupported type GSS_S_BAD_BINDINGS 4 Incorrect channel bindings were supplied GSS_S_BAD_STATUS 5 An invalid status code was supplied GSS_S_BAD_MIC GSS_S_BAD_SIG 6 A token had an invalid MIC GSS_S_NO_CRED 7 No credentials were supplied, or the credentials were unavailable or inaccessible. GSS_S_NO_CONTEXT 8 No context has bee
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more http://stackoverflow.com/questions/23936099/kerberos-sassl-openldap-gssapi-error-unspecified-gss-failure-minor-code-may about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 million programmers, just like you, helping http://en.community.dell.com/techcenter/iam/f/4820/t/19553111 each other. Join them; it only takes a minute: Sign up Kerberos/SASSL/OpenLDAP : GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () up vote 4 down vote favorite 2 I'm setting up openLDAP with SASL error codes authentification with kerberos. I got problem with this auth. First, I get the kerberos ticket with kinit. When I make a klist, the ticket is displayed. So, no problem. But when I try to make ldapwhoami. I got an error : [hue@sandbox ~]$ kdestroy [hue@sandbox ~]$ kinit vishnu Password for vishnu@MORTO.COM: [hue@sandbox ~]$ klist Ticket cache: _FILE:/tmp/krb5cc_1007 Default principal: vishnu@MORTO.COM Valid starting Expires Service principal 05/29/14 06:42:52 05/29/14 16:42:52 krbtgt/MORTO.COM@MORTO.COM renew until 06/05/14 06:42:48 05/29/14 06:42:57 05/29/14 gssapi error codes 16:42:52 ldap/morto.com@MORTO.COM renew until 06/05/14 06:42:48 [hue@sandbox ~]$ ldapwhoami SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () I don't know where to search anymore. Please, help me. ldap kerberos openldap sasl gssapi share|improve this question edited May 29 '14 at 14:50 asked May 29 '14 at 14:43 Voulzy 109139 add a comment| 1 Answer 1 active oldest votes up vote 1 down vote I had the same error message with the missing minor code. While searching for people with similar problems I noticed that this usually has something to do with an inaccessible keytab file. In my case the problem was the group of the /etc/openldap/ldap.keytab file was root instead of ldap. Other possible problems can be a wrong or missing KRB5_KTNAME path in your slapd options file (/etc/sysconfig/ldap on red hat 6) share|improve this answer answered Jun 3 '14 at 12:16 BeeJee 111 I'm sure that I had access to the keytab because I used chmod 777... And I also well specified the path to the keytab. Thanks anyway for your reply ! –Voulzy Jun 3 '14 at 15:08 Sometimes that's the problem, I don't know in this case in particularly, but sometimes the keytab file has to have 644 permission or whatever thing