kadmin.local works but kadmin doesn't. kpasswd 'insufficient access to lock data base'

Sensei senseiwa at mac.com
Sun Jun 11 03:44:23 EDT 2006

On 2006-06-11 04:27:25 +0200, bohongdxl at gmail.com said:

> Hello,
>     I tried to install Kerberos on my small systems and have got
> limited success.
>     krb5kdc and kadmind are installed on an Intel Xeon box running
> 65-bit Ferora core 5. Firewall is enabled on this machine, with port 88
> and 749 accepting incoming packets. DNS is also working properly.
>     kdc5.conf

So, I suppose you have enabled TCP/UDP ports.

>     On this computer, when I use kadmin.local to add/delete/modify the
> principals, everything works fine. When I use kadmin, I can pass the
> authentication and run some of the commands but 'cpw' will fail. Here
> is what I got:  (mara is the computer)

The kadmin.local is somewhat different from others, you want your users 
to change their passwords, and possibly use kadmin on any client just 
for system administration without involving a root login.

> [root at mara myusr]# kinit admin/admin
> Password for admin/admin at MY.REALM.COM:   <password typed>
> [root at mara myusr]# klist
> Ticket cache: FILE:/tmp/krb5cc_500_bYyQI13791
> Default principal: admin/admin at MY.REALM.COM
> Valid starting     Expires            Service principal
> 06/10/06 21:38:30  06/11/06 21:38:30  krbtgt/MY.REALM.COM at MY.REALM.COM
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached

Good for you.

> [root at mara myusr]# kadmin
> Authenticating as principal admin/admin at MY.REALM.COM with password.
> Password for admin/admin at MY.REALM.COM:  <password typed>
> kadmin:  list_principals
> admin/admin at MY.REALM.COM
> myusr at MY.REALM.COM
> kadmin/admin at MY.REALM.COM
> kadmin/changepw at MY.REALM.COM
> kadmin/history at MY.REALM.COM
> kadmin:  cpw myusr
> Enter password for principal "myusr":
> Re-enter password for principal "myusr":
> change_password: Unknown code kdb5 21 while changing password for
> "myusr at MY.REALM.COM".
> kadmin:  exit
> [root at mara myusr]#

Bad for you.

> When I do the same list of commands (kinit, klist, kadmin - cpw) from a
> remote machine, the same 'Unknown code kdb5 21' happens.
> What's more interesting is that kerberos itself is doing authentication
> properly. I set up the sshd on the computer 'mara' to use kerberos, and
> I can ssh into 'mara' as 'myusr' using its kerberos password.
> Can anyone give me an insight?

Well, you gave us just the very beginning of the needed informations. 
For a complete diagnosis, post your


> [myusr at mara ~]$ kinit myusr
> Password for myusr at MY.REALM.COM:
> [myusr at mara ~]$ kpasswd
> Password for myusr at MY.REALM.COM:
> Enter new password:
> Enter it again:
> Server error: Password not changed.
> Insufficient access to lock database while trying to change password.
> [myusr at mara ~]$
> ==============================================
> Interestingly, when I do kpasswd from a remote mache, I don't get the
> 'Insufficient access' error. Instead, I got a different error:
> "kpasswd: Connection timed out changing password"
> In any case, if a user cannot execute kpasswd, it's almost impractical
> to use kerberos.
> I tend to believe that something is wrong with my kerberos setup. It's
> strange because II followed the introduction in www.linux.com/howtos/
> Kerberos-Infrastructure-HOWTO/index.shtml    Besides, I can already run
> ssh with kerberos authentication.
> Any insight would be greatly appreciated.  thanks in advance.

Check the ACLs, and post the configuration files for your realm.

Sensei <senseiwa at mac.com>

The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true.      [J. Robert Oppenheimer]

More information about the Kerberos mailing list