kadmin.local works but kadmin doesn't. kpasswd 'insufficient access to lock data base'

bohongdxl@gmail.com bohongdxl at gmail.com
Sun Jun 11 17:16:37 EDT 2006

Ken Raeburn wrote:
> On Jun 10, 2006, at 22:27, bohongdxl at gmail.com wrote:
> > kadmin:  cpw myusr
> > Enter password for principal "myusr":
> > Re-enter password for principal "myusr":
> > change_password: Unknown code kdb5 21 while changing password for
> > "myusr at MY.REALM.COM".
> > Additionally, I have having problem with kpasswd. When I logged into
> > 'mara' as 'myusr', here is what I got:
> >
> > ==============================================
> > [myusr at mara ~]$ kinit myusr
> > Password for myusr at MY.REALM.COM:
> > [myusr at mara ~]$ kpasswd
> > Password for myusr at MY.REALM.COM:
> > Enter new password:
> > Enter it again:
> > Server error: Password not changed.
> > Insufficient access to lock database while trying to change password.
> (kdb5 error code 21 is insufficient-access)
> Are you sure kadmind is running with the right privileges?  It's able
> to write to the database, lock the database, etc?

kadmind was started using '/sbin/service kadmind start', the program
'kadmind' belongs to user 'root' on 'mara'

Are there any settings to gran kadmind the correct privileges?

Besides, selinux is running on 'mara', could this be a potential
problem? I used the fefault setting of selinux

> I think it might also be possible to get that error back if some
> other process keeps the database locked for an extended period of
> time.  But nothing should, unless you suspend kadmin.local or some
> other process at just the wrong time.  Check for old kadmin.local or
> kdb5_util processes lying around, and maybe restart the Kerberos-
> related daemon processes.
> Worst case, you could run strace on the kadmind process while doing
> this, and see what operations are failing, and use lsof to see if any
> other processes are accessing the database files.

thanks for the suggestion. I will do it and report later.

> > Interestingly, when I do kpasswd from a remote mache, I don't get the
> > 'Insufficient access' error. Instead, I got a different error:
> > "kpasswd: Connection timed out changing password"
> That sounds like a firewall problem -- port 464 open?

problem solved, port 464 wasn't open. After opening 464, I got the the
'insuficient access' error instead of the time out.

> Ken
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list