Here are some of the common errors in Kerberos-enabled i5/OS® interfaces and their recovery methods.
| Problem | Recovery | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| You receive this error: Unable to obtain name of default credentials cache. | Determine if the user who signed on to the System i™ platform has a directory in the /home directory. If the directory for the user does not exist, create a home directory for the credentials cache. | ||||||||||
| CPD3E3F: Network Authentication Service error &2 occurred. | See the specific recovery information that corresponds with this message. | ||||||||||
| DRDA/DDM connection fails on a System i platform that was previously connected. | Check to see if the default realm specified during network authentication service configuration exists. If a default realm and Kerberos server have not been configured, the network authentication service configuration is incorrect and DRDA/DDM connections will fail. To recover from this error,
you can do one of the following tasks:
| ||||||||||
| QFileSvr.400 connection fails on a System i platform that was previously connected. | Check to see if the default realm specified during network authentication service configuration exists. If a default realm and Kerberos server have not been configured, the network authentication service configuration is incorrect and QFileSvr.400 connections will fail. To recover from this error, you can do one of the following tasks:
| ||||||||||
| CWBSY1011: Kerberos client credentials not found. | The user does not have a ticket-granting ticket (TGT). This connection error occurs on the client PC when a user does not log into a Windows 2000 domain. To recover from this error, log into the Windows 2000 domain. | ||||||||||
| Error occurred while verifying connection settings. URL does not have host. This error occurs when you are using Enterprise Identity Mapping (EIM). To recover from this error, follow these steps:
|
Error occurred while changing local directory server configuration. GLD0232: Configuration cannot contain overlapping suffixes. | This error occurs when you are using Enterprise Identity Mapping (EIM). To recover from this error, follow these steps:
|
Error occurred while verifying connection settings. An exception occurred while calling an i5/OS program.
The called program is eimConnect. Details are: com.ibm.as400.data.PcmlException. | This error occurs when you are using Enterprise Identity Mapping (EIM). To recover from this error, follow these steps:
|
Kerberos ticket from remote system cannot be authenticated. | This error occurs when you are configuring Management Central systems to use Kerberos authentication. Verify that Kerberos is configured properly on all your systems. This error might indicate a security violation. Try the request again. If the problem persists contact service.
| Cannot retrieve Kerberos service ticket. | This error occurs when you are configuring Management Central systems to use Kerberos authentication. Verify that the Kerberos principal krbsvr400/System i fully qualified host name@REALM is in the Kerberos server as well as the keytab file for each of your systems.
To verify whether the Kerberos principal is entered in the Kerberos server,
see Adding i5/OS principals to the Kerberos server. To verify whether the Kerberos service principal names are entered in the keytab file,
see Managing keytab files for details.
| Kerberos principal is not in a trusted group. | This error occurs when you are configuring Management Central systems to use Kerberos authentication. Add the Kerberos principal for the system that is trying to connect to this system to your trusted group file. To recover from this error, follow these steps:
|
|