kadmin.local works but kadmin doesn't. kpasswd 'insufficient access to lock data base'

bohongdxl@gmail.com bohongdxl at gmail.com
Sun Jun 11 15:27:51 EDT 2006 

Thanks,

    The configuration files are as follows:  (I have replaced my real
realm with 'MY.REALM.COM', and my real domain with 'realm.com').
thanks.

krb5.conf
---------------------------------------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MY.REALM.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 MY.REALM.COM = {
  kdc = MY.REALM.COM:88
  admin_server = MY.REALM.COM:749
  default_domain = realm.com
 }

[domain_realm]
 .realm.com = MY.REALM.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
---------------------------------------


kdc.conf
---------------------------------------
[kdcdefaults]
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 v4_mode = nopreauth

[realms]
 MY.REALM.COM = {
  #master_key_type = des3-hmac-sha1
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
des-cbc-crc:v4 des-cbc-crc:afs3
 }
---------------------------------------

kadmin5.acl has just one line
---------------------------------------
*/admin at MY.REALM.COM  *
---------------------------------------


Sensei wrote:
> On 2006-06-11 04:27:25 +0200, bohongdxl at gmail.com said:
>
> > Hello,
> >
> >     I tried to install Kerberos on my small systems and have got
> > limited success.
> >
> >     krb5kdc and kadmind are installed on an Intel Xeon box running
> > 65-bit Ferora core 5. Firewall is enabled on this machine, with port 88
> > and 749 accepting incoming packets. DNS is also working properly.
> >
> >     kdc5.conf
>
> So, I suppose you have enabled TCP/UDP ports.
>
> >     On this computer, when I use kadmin.local to add/delete/modify the
> > principals, everything works fine. When I use kadmin, I can pass the
> > authentication and run some of the commands but 'cpw' will fail. Here
> > is what I got:  (mara is the computer)
>
> The kadmin.local is somewhat different from others, you want your users
> to change their passwords, and possibly use kadmin on any client just
> for system administration without involving a root login.
>
> > [root at mara myusr]# kinit admin/admin
> > Password for admin/admin at MY.REALM.COM:   <password typed>
> > [root at mara myusr]# klist
> > Ticket cache: FILE:/tmp/krb5cc_500_bYyQI13791
> > Default principal: admin/admin at MY.REALM.COM
> >
> > Valid starting     Expires            Service principal
> > 06/10/06 21:38:30  06/11/06 21:38:30  krbtgt/MY.REALM.COM at MY.REALM.COM
> >
> >
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
>
> Good for you.
>
> > [root at mara myusr]# kadmin
> > Authenticating as principal admin/admin at MY.REALM.COM with password.
> > Password for admin/admin at MY.REALM.COM:  <password typed>
> > kadmin:  list_principals
> > K/M at MY.REALM.COM
> > admin/admin at MY.REALM.COM
> > myusr at MY.REALM.COM
> > kadmin/admin at MY.REALM.COM
> > kadmin/changepw at MY.REALM.COM
> > kadmin/history at MY.REALM.COM
> > kadmin/MY.REALM.COM at MY.REALM.COM
> > krbtgt/MY.REALM.COM at MY.REALM.COM
> > kadmin:  cpw myusr
> > Enter password for principal "myusr":
> > Re-enter password for principal "myusr":
> > change_password: Unknown code kdb5 21 while changing password for
> > "myusr at MY.REALM.COM".
> > kadmin:  exit
> > [root at mara myusr]#
>
> Bad for you.
>
> > When I do the same list of commands (kinit, klist, kadmin - cpw) from a
> > remote machine, the same 'Unknown code kdb5 21' happens.
> >
> > What's more interesting is that kerberos itself is doing authentication
> > properly. I set up the sshd on the computer 'mara' to use kerberos, and
> > I can ssh into 'mara' as 'myusr' using its kerberos password.
> >
> > Can anyone give me an insight?
>
> Well, you gave us just the very beginning of the needed informations.
> For a complete diagnosis, post your
>
> krb5.conf
> kdc.conf
> kadm5.acl
>
> > [myusr at mara ~]$ kinit myusr
> > Password for myusr at MY.REALM.COM:
> > [myusr at mara ~]$ kpasswd
> > Password for myusr at MY.REALM.COM:
> > Enter new password:
> > Enter it again:
> > Server error: Password not changed.
> > Insufficient access to lock database while trying to change password.
> >
> > [myusr at mara ~]$
> > ==============================================
> >
> > Interestingly, when I do kpasswd from a remote mache, I don't get the
> > 'Insufficient access' error. Instead, I got a different error:
> > "kpasswd: Connection timed out changing password"
> >
> > In any case, if a user cannot execute kpasswd, it's almost impractical
> > to use kerberos.
> >
> > I tend to believe that something is wrong with my kerberos setup. It's
> > strange because II followed the introduction in www.linux.com/howtos/
> > Kerberos-Infrastructure-HOWTO/index.shtml    Besides, I can already run
> > ssh with kerberos authentication.
> >
> > Any insight would be greatly appreciated.  thanks in advance.
>
> Check the ACLs, and post the configuration files for your realm.
>
> --
> Sensei <senseiwa at mac.com>
>
> The optimist thinks this is the best of all possible worlds.
> The pessimist fears it is true.      [J. Robert Oppenheimer]

More information about the Kerberos mailing list