Kerberos v5 Status Codes
This chapter lists and describes the Kerberos v5 status codes.
Table of Kerberos v5 Status Codes
Each GSS-API function returns two status codes: a major status code and a minor status code. Major status codes relate to the behavior of the GSS-API itself. For example, if an application attempts to transmit a message after a security context has expired, the GSS-API returns a major status code of GSS_S_CONTEXT_EXPIRED. Major status codes are listed in "GSS-API Status Codes".
Minor status codes are returned by the underlying security mechanisms supported by a given implementation of the GSS-API. At present, the only such mechanism supported by Sun's implementation of the GSS-API is Kerberos v5. (Sun's implementation of the Kerberos v5 is known as SEAM, the Sun Enterprise Authentication Mechanism; for our purposes, you can think of them as the same thing.) Every GSS-API function takes as its first argument a minor_status (or minor_stat) parameter; an application can examine this parameter when the function returns, successfully or not, to see what the status the underlying mechanism reports.
The following table lists the status messages that might be returned by Kerberos v5 in the minor_status argument.
For more on GSS-API status codes, see "Status Codes".
Table E-1 Kerberos v5 Status Codes 1
Minor Status | Value | Meaning |
|---|---|---|
KRB5KDC_ERR_NONE | -1765328384L | No error |
KRB5KDC_ERR_NAME_EXP | -1765328383L | Client's entry in database has expired |
KRB5KDC_ERR_SERVICE_EXP | -1765328382L | Server's entry in database has expired |
KRB5KDC_ERR_BAD_PVNO | -1765328381L | Requested protocol version not supported |
KRB5KDC_ERR_C_OLD_MAST_KVNO | -1765328380L | Client's key is encrypted in an old master key |
KRB5KDC_ERR_S_OLD_MAST_KVNO | -1765328379L | Server's key is encrypted in an old master key |
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN | -1765328378L | Client not found in Kerberos database |
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN | -1765328377L | Server not found in Kerberos database |
KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE | -1765328376L | Principal has multiple entries in Kerberos database |
KRB5KDC_ERR_NULL_KEY | -1765328375L | Client or server has a null key |
KRB5KDC_ERR_CANNOT_POSTDATE | -1765328374L | Ticket is ineligible for postdating |
KRB5KDC_ERR_NEVER_VALID | -1765328373L | Requested effective lifetime is negative or too short |
KRB5KDC_ERR_POLICY | -1765328372L | KDC policy rejects request |
KRB5KDC_ERR_BADOPTION | -1765328371L | KDC can't fulfill requested option |
KRB5KDC_ERR_ETYPE_NOSUPP | -1765328370L | KDC has no support for encryption type |
KRB5KDC_ERR_SUMTYPE_NOSUPP | -1765328369L | KDC has no support for checksum type |
KRB5KDC_ERR_PADATA_TYPE_NOSUPP | -1765328368L | KDC has no support for padata type |
KRB5KDC_ERR_TRTYPE_NOSUPP | -1765328367L | KDC has no support for transited type |
KRB5KDC_ERR_CLIENT_REVOKED | -1765328366L | Client's credentials have been revoked |
KRB5KDC_ERR_SERVICE_REVOKED | -1765328365L | Credentials for server have been revoked |
Table E-2 Kerberos v5 Status Codes 2
Minor Status | Value | Meaning |
|---|---|---|
KRB5KDC_ERR_TGT_REVOKED | -1765328364L | TGT has been revoked |
KRB5KDC_ERR_CLIENT_NOTYET | -1765328363L | Client not yet valid -- try again later |
KRB5KDC_ERR_SERVICE_NOTYET | -1765328362L | Server not yet valid -- try again later |
KRB5KDC_ERR_KEY_EXP | -1765328361L | Password has expired |
KRB5KDC_ERR_PREAUTH_FAILED | -1765328360L | Preauthentication failed |
KRB5KDC_ERR_PREAUTH_REQUIRED | -1765328359L | Additional pre-authentication required |
KRB5KDC_ERR_SERVER_NOMATCH | -1765328358L | Requested server and ticket don't match |
KRB5PLACEHOLD_27 through KRB5PLACEHOLD_30 | -1765328357L through -1765328354L | KRB5 error codes 27 through 30 (reserved) |
KRB5KRB_AP_ERR_BAD_INTEGRITY | -1765328353L | Decrypt integrity check failed |
KRB5KRB_AP_ERR_TKT_EXPIRED | -1765328352L | Ticket expired |
KRB5KRB_AP_ERR_TKT_NYV | -1765328351L | Ticket not yet valid |
KRB5KRB_AP_ERR_REPEAT | -1765328350L | Request is a replay |
KRB5KRB_AP_ERR_NOT_US | -1765328349L | The ticket isn't for us |
KRB5KRB_AP_ERR_BADMATCH | -1765328348L | Ticket/authenticator don't match |
KRB5KRB_AP_ERR_SKEW | -1765328347L | Clock skew too great |
KRB5KRB_AP_ERR_BADADDR | -1765328346L | Incorrect net address |
KRB5KRB_AP_ERR_BADVERSION | -1765328345L | Protocol version mismatch |
KRB5KRB_AP_ERR_MSG_TYPE | -1765328344L | Invalid message type |
KRB5KRB_AP_ERR_MODIFIED | -1765328343L | Message stream modified |
KRB5KRB_AP_ERR_BADORDER | -1765328342L | Message out of order |
KRB5KRB_AP_ERR_ILL_CR_TKT | -1765328341L | Illegal cross-realm ticket |
KRB5KRB_AP_ERR_BADKEYVER | -1765328340L | Key version is not available |
Table E-3 Kerberos v5 Status Codes 3
Minor Status | Value | Meaning |
|---|---|---|
KRB5KRB_AP_ERR_NOKEY | -1765328339L | Service key not available |
KRB5KRB_AP_ERR_MUT_FAIL | -1765328338L | Mutual authentication failed |
KRB5KRB_AP_ERR_BADDIRECTION | -1765328337L | Incorrect message direction |
KRB5KRB_AP_ERR_METHOD | -1765328336L | Alternative authentication method required |
KRB5KRB_AP_ERR_BADSEQ | -1765328335L | Incorrect sequence number in message |
KRB5KRB_AP_ERR_INAPP_CKSUM | -1765328334L | Inappropriate type of checksum in message |
KRB5PLACEHOLD_51 through KRB5PLACEHOLD_59 | -1765328333L through -1765328325L | KRB5 error codes 51 through 59 (reserved) |
KRB5KRB_ERR_GENERIC | -1765328324L | Generic error |
KRB5KRB_ERR_FIELD_TOOLONG | -1765328323L | Field is too long for this implementation |
KRB5PLACEHOLD_62 through KRB5PLACEHOLD_127 | -1765328322L through -1765328257L | KRB5 error codes 62 through 127 (reserved) |
(value not returned) | -1765328256L | For internal use only |
KRB5_LIBOS_BADLOCKFLAG | -1765328255L | Invalid flag for file lock mode |
KRB5_LIBOS_CANTREADPWD | -1765328254L | Cannot read password |
KRB5_LIBOS_BADPWDMATCH | -1765328253L | Password mismatch |
KRB5_LIBOS_PWDINTR | -1765328252L | Password read interrupted |
KRB5_PARSE_ILLCHAR | -1765328251L | Illegal character in component name |
KRB5_PARSE_MALFORMED | -1765328250L | Malformed representation of principal |
KRB5_CONFIG_CANTOPEN | -1765328249L | Can't open/find Kerberos /etc/krb5/krb5 configuration file |
KRB5_CONFIG_BADFORMAT | -1765328248L | Improper format of Kerberos /etc/krb5/krb5 configuration file |
KRB5_CONFIG_NOTENUFSPACE | -1765328247L | Insufficient space to return complete information |
KRB5_BADMSGTYPE | -1765328246L | Invalid message type specified for encoding |
KRB5_CC_BADNAME | -1765328245L | Credential cache name malformed |
Table E-4 Kerberos v5 Status Codes 4
Minor Status | Value | Meaning |
|---|---|---|
KRB5_CC_UNKNOWN_TYPE | -1765328244L | Unknown credential cache type |
KRB5_CC_NOTFOUND | -1765328243L | Matching credential not found |
KRB5_CC_END | -1765328242L | End of credential cache reached |
KRB5_NO_TKT_SUPPLIED | -1765328241L | Request did not supply a ticket |
KRB5KRB_AP_WRONG_PRINC | -1765328240L | Wrong principal in request |
KRB5KRB_AP_ERR_TKT_INVALID | -1765328239L | Ticket has invalid flag set |
KRB5_PRINC_NOMATCH | -1765328238L | Requested principal and ticket don't match |
KRB5_KDCREP_MODIFIED | -1765328237L | KDC reply did not match expectations |
KRB5_KDCREP_SKEW | -1765328236L | Clock skew too great in KDC reply |
KRB5_IN_TKT_REALM_MISMATCH | -1765328235L | Client/server realm mismatch in initial ticket request |
KRB5_PROG_ETYPE_NOSUPP | -1765328234L | Program lacks support for encryption type |
KRB5_PROG_KEYTYPE_NOSUPP | -1765328233L | Program lacks support for key type |
KRB5_WRONG_ETYPE | -1765328232L | Requested encryption type not used in message |
KRB5_PROG_SUMTYPE_NOSUPP | -1765328231L | Program lacks support for checksum type |
KRB5_REALM_UNKNOWN | -1765328230L | Cannot find KDC for requested realm |
KRB5_SERVICE_UNKNOWN | -1765328229L | Kerberos service unknown |
KRB5_KDC_UNREACH | -1765328228L | Cannot contact any KDC for requested realm |
KRB5_NO_LOCALNAME | -1765328227L | No local name found for principal name |
KRB5_MUTUAL_FAILED | -1765328226L | Mutual authentication failed |
KRB5_RC_TYPE_EXISTS | -1765328225L | Replay cache type is already registered |
KRB5_RC_MALLOC | -1765328224L | No more memory to allocate (in replay cache code) |
KRB5_RC_TYPE_NOTFOUND | -1765328223L | Replay cache type is unknown |
Table E-5 Kerberos v5 Status Codes 5
Minor Status | Value | Meaning |
|---|---|---|
KRB5_RC_UNKNOWN | -1765328222L | Generic unknown RC error |
KRB5_RC_REPLAY | -1765328221L | Message is a replay |
KRB5_RC_IO | -1765328220L | Replay I/O operation failed |
KRB5_RC_NOIO | -1765328219L | Replay cache type does not support non-volatile storage |
KRB5_RC_PARSE | -1765328218L | Replay cache name parse/format error |
KRB5_RC_IO_EOF | -1765328217L | End-of-file on replay cache I/O |
KRB5_RC_IO_MALLOC | -1765328216L | No more memory to allocate (in replay cache I/O code) |
KRB5_RC_IO_PERM | -1765328215L | Permission denied in replay cache code |
KRB5_RC_IO_IO | -1765328214L | I/O error in replay cache i/o code |
KRB5_RC_IO_UNKNOWN | -1765328213L | Generic unknown RC/IO error |
KRB5_RC_IO_SPACE | -1765328212L | Insufficient system space to store replay information |
KRB5_TRANS_CANTOPEN | -1765328211L | Can't open/find realm translation file |
KRB5_TRANS_BADFORMAT | -1765328210L | Improper format of realm translation file |
KRB5_LNAME_CANTOPEN | -1765328209L | Can't open/find lname translation database |
KRB5_LNAME_NOTRANS | -1765328208L | No translation available for requested principal |
KRB5_LNAME_BADFORMAT | -1765328207L | Improper format of translation database entry |
KRB5_CRYPTO_INTERNAL | -1765328206L | Cryptosystem internal error |
KRB5_KT_BADNAME | -1765328205L | Key table name malformed |
KRB5_KT_UNKNOWN_TYPE | -1765328204L | Unknown Key table type |
KRB5_KT_NOTFOUND | -1765328203L | Key table entry not found |
KRB5_KT_END | -1765328202L | End of key table reached |
KRB5_KT_NOWRITE | -1765328201L | Cannot write to specified key table |