kadmin.local works but kadmin doesn't. kpasswd 'insufficient access to lock data base'

[Ken Raeburn]

On Jun 10, 2006, at 22:27, bohongdxl at gmail.com wrote:
> kadmin:  cpw myusr
> Enter password for principal "myusr":
> Re-enter password for principal "myusr":
> change_password: Unknown code kdb5 21 while changing password for
> "myusr at MY.REALM.COM".

> Additionally, I have having problem with kpasswd. When I logged into
> 'mara' as 'myusr', here is what I got:
>
> ==============================================
> [myusr at mara ~]$ kinit myusr
> Password for myusr at MY.REALM.COM:
> [myusr at mara ~]$ kpasswd
> Password for myusr at MY.REALM.COM:
> Enter new password:
> Enter it again:
> Server error: Password not changed.
> Insufficient access to lock database while trying to change password.

(kdb5 error code 21 is insufficient-access)

Are you sure kadmind is running with the right privileges?  It's able  
to write to the database, lock the database, etc?

I think it might also be possible to get that error back if some  
other process keeps the database locked for an extended period of  
time.  But nothing should, unless you suspend kadmin.local or some  
other process at just the wrong time.  Check for old kadmin.local or  
kdb5_util processes lying around, and maybe restart the Kerberos- 
related daemon processes.

Worst case, you could run strace on the kadmind process while doing  
this, and see what operations are failing, and use lsof to see if any  
other processes are accessing the database files.


> Interestingly, when I do kpasswd from a remote mache, I don't get the
> 'Insufficient access' error. Instead, I got a different error:
> "kpasswd: Connection timed out changing password"

That sounds like a firewall problem -- port 464 open?

Ken