1.3.4: kadmin tries to open log file R/W (II)
David Botsch
dwb7 at ccmr.cornell.edu
Fri Sep 3 14:36:18 EDT 2004
Just so you know, we are seeing the same thing here with kerberos
1.3.4. kadmin on any client gives that error message.
On 2004.09.03 14:14 Mike Friedman wrote:
> A followup to my earlier note.
>
> Just to make sure that my symptoms (described below) were not related
> to
> the fact that I was issuing 'kadmin' on the KDC itself, I built a
> 1.3.4
> (with patches) on another system and tried kadmin there. I get the
> same
> result: a message that says
>
> Couldn't open log file /var/log/kerberos/kerberos.log: Permission
> denied
>
> I don't understand why client kadmin is trying to open a log file,
> especially with R/W access. It never did this on earlier releases.
>
> Unfortunately, unless this can be changed, I may have to change a
> bunch of
> my scripts that parse the output of kadmin.
>
> Is this supposed to be happening?
>
> Mike
>
> ------------------------------------------------------------------------------
> Mike Friedman System and Network Security
> mikef at ack.Berkeley.EDU 2484 Shattuck Avenue
> 1-510-642-1410 University of California at
> Berkeley
> http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
> ------------------------------------------------------------------------------
>
> ---------- Forwarded message ----------
> Date: Thu, 2 Sep 2004 19:10:59 -0700 (PDT)
> From: Mike Friedman <mikef at ack.Berkeley.EDU>
> To: kerberos at mit.edu
> Subject: 1.3.4: kadmin tries to open log file R/W
>
> I just installed (on my test KDC) krb5-1.3.4 along with the two recent
> patches (MITKRB5-SA-2004-002 and MITKRB5-SA-2004-003). One thing I
> notice
> is that when I use kadmin from a non-privileged user, I get this
> message:
>
> Couldn't open log file /var/log/kerberos/kerberos.log: Permission
> denied
>
> However, I am able to log in as administrator and my transactions do
> get
> logged on the KDC. It is the *client* kadmin that's trying to open
> the
> log file R/W, for some reason. The KDC, of course, which is the
> machine
> I'm doing this on, has the KDC log file configured in its
> krb5.conf(*).
>
> This is a definite change from 1.2.7, which I was running before. In
> fact, if I use the kadmin from 1.2.7 against this same 1.3.4 KDC, I
> have
> no problem and don't get the above message.
>
> Running 'truss' (this is Solaris 8), I see that kadmin is trying to
> open
> the log file R/W. Anyone know why this is, or should be?
>
> (*) My krb5.conf on the KDC host has these entries, which are the same
> ones I used with 1.2.7:
>
> [logging]
> kdc = FILE:/var/log/kerberos/kerberos.log
> admin_server = FILE:/var/log/kerberos/kerberos.log
> default = FILE:/var/log/kerberos/kerberos.log
>
> I even tried changing the 'default' entry to a file in /tmp, in case
> kadmin was using that entry for some kind of local logging. But truss
> shows that kadmin is still trying to open
> /var/log/kerberos/kerberos.log
> R/W.
>
> Any ideas?
>
> Thanks.
>
> Mike
>
> ------------------------------------------------------------------------------
> Mike Friedman System and Network Security
> mikef at ack.Berkeley.EDU 2484 Shattuck Avenue
> 1-510-642-1410 University of California at
> Berkeley
> http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
> ------------------------------------------------------------------------------
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7 at ccmr.cornell.edu
********************************
More information about the Kerberos
mailing list