Strange error on Solaris

Marcus Watts mdw at umich.edu
Mon Apr 15 02:37:57 EDT 2002 

Kerry Thompson <kerry at crypt.gen.nz> had written in
response to daniel.lindh at tele2.se
> From: Kerry Thompson <kerry at crypt.gen.nz>
> Message-ID: <15546.6623.117375.369626 at edmond.crypt.gen.nz>
> To: daniel.lindh at tele2.se
> Cc: kerberos at mit.edu
> Subject: Re: Strange error on Solaris
> In-Reply-To: <OF6E9B9B6C.C0F0AEE0-ONC1256B99.0028F9C9 at dmz.tele2.se>
> References: <OF6E9B9B6C.C0F0AEE0-ONC1256B99.0028F9C9 at dmz.tele2.se>
> Date: Mon, 15 Apr 2002 12:07:59 +1200
> 
> I would try running it under truss :
> 
> # truss /usr/krb5/sbin/kdb5_util create -r DOMAIN.SE -s
> 
> - and backtrack through the function calls to look for a failure of
> some sort, like a missing file or directory. Error #-1765328157 sure
> doesn't ring a bell to me.

Well, it's sometimes possible to find errors using truss, but it's
kinda like looking for a needle in a haystack.  It helps a lot
if you already have a fair idea what the code is *supposed* to do.
This is particular true when the problem involves encryption.
If you can compare results against a working copy, this is
more useful, because then you at least have a benchmark against
which to look where things start to go wrong.

The simplest way to map error #'s to error codes is to look
through the include files.  In this case,
	krb5_err.h:#define KRB5_APPL_EXPIRED                        (-1765328157L)
The error text can be found in the source in:
krb5/src/lib/krb5/error_tables/krb5_err.et ,
	error_code KRB5_APPL_EXPIRED,   "This application has expired"
A friendly application can automatically map error codes to messages,
by calling initialize_krb5_error_table() and then calling
error_message(-1765328157).  Evidently, kdb5_util isn't quite that
friendly.

Looking through the sorce, this manifest KRB5_APPL_EXPIRED only appears
in
	krb5/src/lib/krb5/error_tables/ChangeLog
	krb5/src/lib/win_glue.c

The former tells us it was added to the source on Friday the 13th.  The
latter appears to be some sort of windows specific code, which seems to
be trying to invoke some sort of remote version server.  This doesn't
entirely make sense, so it's more likely that the source I'm looking at
is too old to accurately reflect whatever object you are running, and
you'll need to look at the source and include files for whatever
version of k5 you are running.  If you can't get source to exactly the
version that you are running, you may have to extrapolate carefully.
Is there a reason you want to run something built by Sun rather
than building it yourself?

				-Marcus Watts
				UM ITCS Umich Systems Group

More information about the Kerberos mailing list