1.3.4: kadmin tries to open log file R/W (II)

David Botsch dwb7 at ccmr.cornell.edu
Fri Sep 3 14:36:18 EDT 2004


Just so you know, we are seeing the same thing here with kerberos 
1.3.4. kadmin on any client gives that error message.

On 2004.09.03 14:14 Mike Friedman wrote:
> A followup to my earlier note.
> 
> Just to make sure that my symptoms (described below) were not related
> to
> the fact that I was issuing 'kadmin' on the KDC itself, I built a
> 1.3.4
> (with patches) on another system and tried kadmin there.  I get the
> same
> result:  a message that says
> 
>   Couldn't open log file /var/log/kerberos/kerberos.log: Permission
> denied
> 
> I don't understand why client kadmin is trying to open a log file,
> especially with R/W access.  It never did this on earlier releases.
> 
> Unfortunately, unless this can be changed, I may have to change a
> bunch of
> my scripts that parse the output of kadmin.
> 
> Is this supposed to be happening?
> 
> Mike
> 
> ------------------------------------------------------------------------------
> Mike Friedman                             System and Network Security
> mikef at ack.Berkeley.EDU                    2484 Shattuck Avenue
> 1-510-642-1410                            University of California at
> Berkeley
> http://ack.Berkeley.EDU/~mikef            http://security.berkeley.edu
> ------------------------------------------------------------------------------
> 
> ---------- Forwarded message ----------
> Date: Thu, 2 Sep 2004 19:10:59 -0700 (PDT)
> From: Mike Friedman <mikef at ack.Berkeley.EDU>
> To: kerberos at mit.edu
> Subject: 1.3.4:  kadmin tries to open log file R/W
> 
> I just installed (on my test KDC) krb5-1.3.4 along with the two recent
> patches (MITKRB5-SA-2004-002 and MITKRB5-SA-2004-003). One thing I
> notice
> is that when I use kadmin from a non-privileged user, I get this
> message:
> 
>   Couldn't open log file /var/log/kerberos/kerberos.log: Permission
> denied
> 
> However, I am able to log in as administrator and my transactions do
> get
> logged on the KDC.  It is the *client* kadmin that's trying to open
> the
> log file R/W, for some reason.  The KDC, of course, which is the
> machine
> I'm doing this on, has the KDC log file configured in its
> krb5.conf(*).
> 
> This is a definite change from 1.2.7, which I was running before.  In
> fact, if I use the kadmin from 1.2.7 against this same 1.3.4 KDC, I
> have
> no problem and don't get the above message.
> 
> Running 'truss' (this is Solaris 8), I see that kadmin is trying to
> open
> the log file R/W.  Anyone know why this is, or should be?
> 
> (*) My krb5.conf on the KDC host has these entries, which are the same
> ones I used with 1.2.7:
> 
>    [logging]
>         kdc = FILE:/var/log/kerberos/kerberos.log
>         admin_server = FILE:/var/log/kerberos/kerberos.log
>         default = FILE:/var/log/kerberos/kerberos.log
> 
> I even tried changing the 'default' entry to a file in /tmp, in case
> kadmin was using that entry for some kind of local logging.  But truss
> shows that kadmin is still trying to open
> /var/log/kerberos/kerberos.log
> R/W.
> 
> Any ideas?
> 
> Thanks.
> 
> Mike
> 
> ------------------------------------------------------------------------------
> Mike Friedman                             System and Network Security
> mikef at ack.Berkeley.EDU                    2484 Shattuck Avenue
> 1-510-642-1410                            University of California at
> Berkeley
> http://ack.Berkeley.EDU/~mikef            http://security.berkeley.edu
> ------------------------------------------------------------------------------
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

-- 
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7 at ccmr.cornell.edu
********************************


More information about the Kerberos mailing list