Issues related to specific HPC machines are not located in this FAQ.
Note to non-NRL HPC users: This FAQ covers NRL site specific issues. While you may find useful information here, your mileage may vary. If you need further assistance, please contact the appropriate help desk.
Kerberos error messages differ slightly between the Unix, PC, and Macintosh platforms. If a closely related message is not listed below, please send a detailed description and all messages to ccshelp@nrl.navy.mil.
How do I change my password?
All users have Kerberos passwords. To change your password, you must use the password program which came with your local Kerberos kit. Avoid changing your password across a network.
How do I change my shell?
For change shell requests, send email to ccshelp@nrl.navy.mil
When I log in, the system cannot find my home directory, but I am able to see it.
Check to see if the top level of your home directory has the AFS acl of system:anyuser rl.
fs la ~
The Kerberos login must be able to read files in your home directory. If the AFS acl system:anyuser rl is not listed, you can add it by:
fs setacl ~ system:anyuser rl
Note: This will allow anyone to read files located in the top level of your home directory. Move sensitive files and data into a subdirectory which has more restrictive AFS acls.
When I log in, I cannot write files in my home directory.
If your home directory path starts with /afs/, then your home directory is in AFS. Access to AFS files are controlled by your Kerberos credentials. You should automatically get the correct AFS tokens at login time. If you are accessing cmf machines remotely, then your Kerberos ticket must be forwardable. Once your Kerberos ticket expires, you will no longer have write access.
Download Kerberos kits:
How to download a kit.
HPC provides downloadable Kerberos client kits. It is important that you follow exactly all the steps listed in the README file. For more information, please read the Kerberos page.
Getting credentials:
Your password will expire in # days/hours on date.
Your account password is about to expire on the date given. Change your password before the expiration date. Avoid changing your password across a network.
Password has expired while getting initial credentials.
Your account password has expired. Change your password. Avoid changing your password across a network.
Cannot contact any KDC for requested realm.
Your computer successfully sent out a request, but the KDC never responded. The network is probably down between your host and the KDC, or you are behind a firewall.
Cannot resolve KDC for requested realm.
There is either a problem with DNS hostname to IP address lookups or with the Kerberos configuration file. Contact your local networking support if DNS lookups are failing. Check to see if your Kerberos realm is listed in the Kerberos configuration file. To download a new configuration file, go to https://www.hpcmo.hpc.mil/security/kerberos. The configuration file has different names depending on your operating system:
Cannot find KDC for requested realm.
The specified realm does not seem to exist. Make sure the realm name is entered in all UPPERCASE. Check the local Kerberos configuration file for a missing realm entry.
Can't send request (send_to_kdc).
Several Unix systems have an older version of Kerberos installed by default. Check your path by running "which kinit" and see if you are running the system installed kinit command. You need to run the kinit from the Kerberos kit. There are several ways you can do this. One way is to modify your path variable. Another way is to run kinit with the absolute path name.
Internal file credentials cache error while logging in
Under Windows, the default directory for the cache file may not be world-writable. To change the location of the cache file:
Telnet:
telnetd: Authorization failed.
Only Kerberized telnet connections are accepted.
Error 10060 on connect.
Error code 10060 means that there was a connection timeout. Most likely, the network is down.
Kerberos V5 refuses authentication because telnetd: No hardware preauth flag set.
You are trying to login to a host which requires hardware preauthentication. You must use your SecurID, CryptoCard, or other issued hardware token.
mk_req failed: You have no tickets cached.
Most likely, your Kerberos ticket has expired. Check the ticket expiration time. If expired, get a new Kerberos ticket on your local machine.
Krlogin/Krsh:
kcmd to host hostname failed - No credentials cache file found.
You do not have any Kerberos credentials. Get a Kerberos ticket on your local machine.
kcmd to host hostname failed - Ticket expired.
Your Kerberos ticket has expired. Get a new Kerberos ticket on your local machine.
Macintosh:
During login, Macintosh returned, "Kerberos 5: ASN.1 failed call to system time library while logging in."
The Macintosh time is incorrect. Check the time, timezone, and daylight savings settings.
I am having problems with kclient.
You are running old Macintosh Kerberos software. Please upgrade to the newer Macintosh Kerberos kit.
Other:
Any error message with "clock skew".
Your local computer time is more than 5 minutes off the correct time. Check the time, timezone, and daylight savings settings.
Any error message with "incorrect net address".
Make sure your local machine does not have an entry for the hostname in the /etc/hosts file. Also make sure your local machine is not using NIS to do nameserver lookups. Neither /etc/hosts file nor NIS can correctly handle a hostname with multiple ip addresses.
Solaris, check hosts line in /etc/nsswitch.conf file.
Irix, check for hostresorder in /etc/resolv.conf file.
Any error message with "tgt not forwardable".
The Kerberos credentials you have do not have the forward flag set. Without forwarding, the credentials may not be passed to another machine. To get a forwardable TGT, do this:
Why did my password change fail with "password unacceptable to server?"
Some Kerberos password changing programs do not give a more meaningful error message. All passwords are checked against a dictionary attack before they are accepted. Rejected passwords receive the "password unacceptable" message. Currently, passwords must be at least 6 characters long and have characters in 2 of the following classes: lowercase, uppercase, numbers, punctuation, or other. You may not reuse a previous password. The password must be older than the minimum lifetime, which is currently set at 4 hours.
I am behind a firewall, and I am having problems using Kerberos.
If your firewall is blocking Kerberos, you will need to find your firewall administrator. The Kerberos FAQ covers which incoming and outgoing ports Kerberos uses.
Send comments or questions to ccshelp@nrl.navy.mil
NRL ~ Code 5000 ~ Code 5500 ~ Code 5590