kadmin.local works but kadmin doesn't. kpasswd complains 'insufficient access to lock data base'

bohongdxl@gmail.com bohongdxl at gmail.com
Sat Jun 10 22:42:04 EDT 2006


    I tried to install Kerberos on my small system and have got limited

    krb5kdc and kadmind are installed on an Intel Xeon box running
64-bit Ferora core 5. Firewall is enabled on this machine, with port 88
and 749 accepting incoming packets. DNS is also working properly.

    Kerberos itself is doing authentication properly. I set up the sshd
on the computer to use kerberos, disabled the usage of local password
in sshd, and I can ssh into the computer using kerberos password.

    On this computer, when I use kadmin.local to add/delete/modify the
principals, everything works fine.

    The interesting thing is: When I use kadmin, I can pass the
authentication and run some of the commands but 'cpw' will fail. Here
is what I got:  (mara is the computer)


[root at mara myusr]# kinit admin/admin
Password for admin/admin at MY.REALM.COM:   <password typed>
[root at mara myusr]# klist
Ticket cache: FILE:/tmp/krb5cc_500_bYyQI13791
Default principal: admin/admin at MY.REALM.COM

Valid starting     Expires            Service principal
06/10/06 21:38:30  06/11/06 21:38:30  krbtgt/MY.REALM.COM at MY.REALM.COM

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at mara myusr]# kadmin
Authenticating as principal admin/admin at MY.REALM.COM with password.
Password for admin/admin at MY.REALM.COM:  <password typed>
kadmin:  list_principals
admin/admin at MY.REALM.COM
myusr at MY.REALM.COM
kadmin/admin at MY.REALM.COM
kadmin/changepw at MY.REALM.COM
kadmin/history at MY.REALM.COM
kadmin:  cpw myusr
Enter password for principal "myusr":
Re-enter password for principal "myusr":
change_password: Unknown code kdb5 21 while changing password for
"myusr at MY.REALM.COM".
kadmin:  exit
[root at mara myusr]#


When I do the same list of commands (kinit, klist, kadmin - cpw) from a
remote machine, the same 'Unknown code kdb5 21' happens.

Can anyone give me an insight?

Additionally, I am having problem with kpasswd. When I logged into
'mara' as 'myusr', here is what I got:

[myusr at mara ~]$ kinit myusr
Password for myusr at MY.REALM.COM:
[myusr at mara ~]$ kpasswd
Password for myusr at MY.REALM.COM:
Enter new password:
Enter it again:
Server error: Password not changed.
Insufficient access to lock database while trying to change password.

[myusr at mara ~]$

Interestingly, when I do kpasswd from a remote mache, I don't get the
'Insufficient access' error. Instead, I got a different error:
"kpasswd: Connection timed out changing password"

In any case, if a user cannot execute kpasswd, it's almost impractical
to use kerberos.

I tend to believe that something is wrong with my kerberos setup. It's
strange because II followed the introduction in www.linux.com/howtos/
Kerberos-Infrastructure-HOWTO/index.shtml    Besides, I can already run
ssh with kerberos authentication.

Any insight would be greatly appreciated.  thanks in advance.

More information about the Kerberos mailing list