Cannot start the krb5kdc

Sensei senseiwa at tin.it
Thu Aug 4 09:57:28 EDT 2005 

On 2005-07-31 19:28:10 +0200, daniel.savard at gmail.com (Daniel Savard) said:

> I think I sent it directly to sensei instead to the list. I apologize.
> 
> Also, I am running mit-kerberos version 1.4.1. I think previous
> version was 1.3.6. I just read I was supposed to backup my database
> before upgrading and the Gentoo procedure didn't take this into
> account. So, I guest the database is not in a proper format for 1.4.1.
> Is there a way to recover this kind of error? Any tool to perform the
> conversion?


If I remember right, those databases should be compatible. But, check 
it with kdb5_util from the command line.

> 
> Here is my krb5.conf:
> 
> [libdefaults]
>         ticket_lifetime = 600
>         default_realm = CIDS.CA
>         default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
>         default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
> 
> [realms]
>         CIDS.CA = {
>         kdc = kerberos.cids.ca:88
>         kdc = kerberos-1.cids.ca:88
>         admin_server = kerberos.cids.ca:749
>         }
> 
> [domain_realm]
>         .cids.ca = CIDS.CA
>         cids.ca = CIDS.CA
> 
> [kdc]
>         profile = /etc/krb5kdc/kdc.conf

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Why? There's no [kdc] section in krb5.conf --- check it with

man krb5.conf

if they've changed the sections in gentoo.


[kdcdefaults]
>         kdc_ports = 88,750
> 
> [realms]
>         CIDS.CA = {
>         database_name = /etc/krb5kdc/principal
>         admin_keytab = /etc/krb5kdc/kadm5.keytab
>         acl_file = /etc/krb5kdc/kadm5.acl
>         key_stash_file = /etc/krb5kdc/.k5.CIDS.CA
>         dict_file = /etc/krb5kdc/kadm5.dict
>         kadmind_port = 749
>         max_life = 10h 0m 0s
>         max_renewable_life = 7d 0h 0m 0s
>         master_key_type = des3-hmac-sha1
>         supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
>         }
> 
Seems ok.


> And as you can see, my database is in /etc/krb5kdc/principal. All the
> files exists, except the dict_file, which is no harm I think. Anyway,
> even if I removed this stanza it doesn't change anything.
> 

Create it or remove the entry. In the man page, I don't see the default 
behavior if no dictionary exists.


> When trying to startup the KDC, I am getting the messages already
> mentionned in my previous post. Not much more details than that.
> Unless you can told me a way to increase debugging level.
> 

Check the kdc.conf again and be sure the database works with the tools 
provided by kerberos. Also, be sure all the principals exist in the db, 
like K/M at CIDS.CA and so on.

-- 
Sensei <senseiwa at tin.it>

cd /pub
more beer

More information about the Kerberos mailing list