You are here: Home Resources Software Login Kinit error messages

Kinit error messages

Common kinit error messages

If you get an error message when you do attempt to generate your kerberos credentials using

kinit -f username@NADA.KTH.SE

or

kinit --forwardable username@NADA.KTH.SE

Note that the case is important, so it is NADA.KTH.SE not nada.kth.se

Then first make sure you have followed the instructions for your operating system and  that you have set up the kerberos configuration file correctly.

Some common error messages are listed below. If you still have trouble then please contact support

Some common error messages

 

  •  kinit: krb5_get_init_creds: Incorrect net address

    This is most likely caused by a NAT firewall (such as a wideband router used for most home connections).

    Remedy: Go to Kerberos and Firewalls and try the --no-addresses option to kinit or --extra-addresses=xyz.xyz.xyz.xyz with xyz replaced by the IP number of your external NAT interface. This page should give you the address of the external NAT interface in most (but not all) cases.

  • Kerberos V5: mk_req failed (Server not found in Kerberos database)

    This is most often caused by a malfunctioning name server (such as the ones provided by some home consumer ISPs)

    Remedy
    : You will need to add a file krb5.conf which contains a section [domain_realm] with the correct Kerberos realm information and you will need to use an environment variable to tell Heimdal the name of your config file is (if it is not /etc/krb5.conf). Add this content in the krb5.conf file:

              [domain_realm]
                .nada.kth.se = NADA.KTH.SE
                .pdc.kth.se = NADA.KTH.SE

 

  • kinit: krb5_get_init_creds: unable to reach any KDC in realm NADA.KTH.SE

If you get this error message you are most probably behind a firewall that blocks communication with our Kerberos servers.


Remedy: Go to Kerberos and Firewalls .

    Cannot find KDC for requested realm while getting initial credentials 

Again this likely due to a firewall

Remedy: Go to Kerberos and Firewalls .

 

  • Time is out of bounds
    If this happens you probably have time synchronization problem:
    ./kinit
    user@NADA.KTH.SE's Password:
    kinit: Time is out of bounds (krb_rd_req)

    This problem is caused by lack of synchronization between the system you create your Kerberos ticket on and the one you try to login on using that Kerberos ticket. Kerberos demands a maximum of 5 minutes time difference between the system clocks.
    Remedy: Help on synchronizing your system clock can be found here.

  •  kinit: krb5_get_init_creds: time skew (370) larger than max (300) 

This is again caused by the clock on your system being out of sync with the actual time.

Remedy: Help on synchronizing your system clock can be found here.

  • kinit/tcp unknown service, using default port 2120

    This is not an error message and has no impact on the functionality of Kerberos under normal circumstances. The message informs the user that the kauth/tcp system service is not registered in the client machine as a known service with an assigned port number. The kauth client program therefore selects the default "standard" connection port 2120 when talking to the PDC Kerberos server. This is the wanted behavior.

    On most systems the information where the service to port look up table is located is the file /etc/services. Note that other Kerberos client programs (kx, telnet, rsh) may produce similar messages, but may use other port numbers than 2120 as the correct default.

  • Client's entry in database has expired
    This message indicates that your Kerberos principal has expired. This happens automatically every other year and means that you can not get any Kerberos tickets and therefore you can not login at PDC.
    Remedy: Write an e-mail asking PDC support to extend your Kerberos principal. When this has been done you can continue to login again using the same password as you did before.
    kinit: krb5_get_init_creds: No ENC-TS found

This message also indicates that your it is likely that your Kerberos principal has expired. This happens automatically every other year and means that you can not get any Kerberos tickets and therefore you can not login at PDC. It you have a new account it could also mean that we have not yet received the relavent paperwork (e.g. rules and passport copy) or information on which time allocation you should belong to.
Remedy: Write an e-mail asking PDC support to extend your Kerberos principal. When this has been done you can continue to login again using the same password as you did before. If we have not yet received the paperwork or time allocation information this will not be done until we do.