This page contains a (non-complete) list of error and debug messages when something is wrong with your Kerberos installation. The list is based upon the source code of the official krb5 package on GitHub

Windows-specific

The following errors do only occur in Windows environments. Please take a look at the GLE (GetLastError) value and look the value up at Microsoft’s System Error Code table.

Error Description
“Failed to get temporary path (GLE=%d)” see above
“Can’t open thread token (GLE=%d)”
“Unexpected error reading token information (GLE=%d)”
“GetTokenInformation() returned truncated buffer”
“GetTokenInformation() failed. GLE=%d”
“Can’t convert SID to string. GLE=%d”
“Unable to determine folder path” Reason won’t be printed but is an HRESULT error code
“Can’t find username for uid %lu” Username can’t be expanded
“Invalid token” Token does not match format “%{ … }” or token could not be expanded
“variable missing }” Token does not end with “}”

General

Error Description
“Cannot find key for %s kvno %d in keytab”, “Cannot find key for %s kvno %d in keytab (request ticket server %s)” Keytab does exist, but does not conain the given key
“Cannot decrypt ticket for %s using keytab key for %s” Ticket is not valid, e.g. integrity failed or does not belong to us
“Server principal %s does not match request ticket server %s”
“No keys in keytab” Local keytab is empty. This usually means that you are pointing to the wrong keytab file
“Server principal %s does not match any keys in keytab” Check keytab, server principal is wrong
“Request ticket server %s found in keytab but does not match server principal %s”
“Request ticket server %s not found in keytab (ticket kvno %d)”
“Request ticket server %s kvno %d not found in keytab; ticket is likely out of date” Key could not be refreshed or there is already a higher key version number available
“Request ticket server %s kvno %d found in keytab but not with enctype %s” Mismatch between encryption schemes
“Request ticket server %s kvno %d enctype %s found in keytab but cannot decrypt ticket” Ticket has bad integrity
“Encryption type %s not permitted” Encryption mismatch as no matching encryption scheme could be found
“keyfile (%s) is not a regular file: %s” keyfile exists but is not a normal file but a a directory or block device
“Could not create temp keytab file name.” file permissions wrong or hard disk full?
“Temporary stash file already exists: %s.” This is a race condition and should only occur if command is issued multiple times the same time
“rename of temporary keyfile (%s) to (%s) failed: %s” Underlying filesystem problem or file has been removed by 3rd party
“Can not fetch master key (error: %s).”
“Unable to decrypt latest master key with the provided master key”
“Encrypted Challenge used outside of FAST tunnel” preauth failed
“Incorrect password in encrypted challenge” preauth failed
“Principal %s is missing required realm” principal has no realm but realm is required
“Principal %s has realm present” principal has realm present but Kerberos hat been configured without realm
“Can’t find client principal %s in cache collection” issues with cache
“No Kerberos credentials available (default cache: %s) issues with cache
“Subsidiary cache path %s has no parent directory” this should not happen; no absolute path of cache?
“Subsidiary cache path %s filename does not begin with “tkt””
“Credential cache directory %s does not exist” It either does not exist or could not be created
“Credential cache directory %s exists but is not a directory” is cache directory a file or block device?
“Can’t create new subsidiary cache because default cache is not a directory collection”
“No begin line not found” PEM file for KVNO does not start with “—–BEGIN CERTIFICATE—–”
“No end line found” PEM file for KVNO does not end with “—–END “
“Unexpected header line” PEM file for KVNO has invalid format
“Invalid base64” PEM file is not base64 encoded (not a DER certificate)
“KDC returned error string: %.*s” take a look at the Kerberos servers’s log
“Server %s not found in Kerberos database”
“No key table entry found for %s” Principal could not be found in keytable
“Too many keytab iterators active” should not happen; multiple processes access the keytab file?
“Cannot change keytab with keytab iterators active”
“Key table file ‘%s’ not found” file does not exist
“Keytab %s is nonexistent or empty” file does not exist
“Unable to initialize preauth context” some pre-authenticatio plug-in failed
“No default realm set; cannot initialize KDB” default realm is missing inside krb5.conf
“Unable to find requested database type: %s”
“Unable to load requested database module ‘%s’: plugin symbol ‘kdb_function_table’ not found”
“Illegal version number for KRB5_TL_MKEY_AUX %d”
“Illegal version number for KRB5_TL_ACTKVNO %d”
“Reply has wrong form of session key for anonymous request”
“Client ‘%s’ not found in Kerberos database”
“No key table entry found matching %s” principal name could not be found in key table