kadmin.local works but kadmin doesn't. kpasswd 'insufficient access to lock data base'
bohongdxl@gmail.com
bohongdxl at gmail.com
Mon Jun 12 15:22:37 EDT 2006
Sensei wrote:
> On 2006-06-11 21:27:51 +0200, bohongdxl at gmail.com said:
>
> > krb5.conf
> > ---------------------------------------
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > default_realm = MY.REALM.COM
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> > ticket_lifetime = 24h
> > forwardable = yes
> >
> > [realms]
> > MY.REALM.COM = {
> > kdc = MY.REALM.COM:88
> > admin_server = MY.REALM.COM:749
> > default_domain = realm.com
> > }
>
> These lines should contain host names. This would suffice (using
> standard ports):
>
> [realms]
> MY.REALM.COM = {
> kdc = hostkdc.my.realm.com
> admin_server = hostadmin.myrealm.com
> }
>
> > [domain_realm]
> > .realm.com = MY.REALM.COM
>
> Add the mapping
>
> realm.com = MY.REALM.COM
>
> And check for the domain/realm mapping bug (solved by removing any
> mapping here), I've been facing this problem.
>
> > [kdc]
> > profile = /var/kerberos/krb5kdc/kdc.conf
>
> For the client side? Why?
>
> > [appdefaults]
> > pam = {
> > debug = false
> > ticket_lifetime = 36000
> > renew_lifetime = 36000
> > forwardable = true
> > krb4_convert = false
> > }
>
> Ok.
>
> > kdc.conf
> > ---------------------------------------
> > [kdcdefaults]
> > acl_file = /var/kerberos/krb5kdc/kadm5.acl
> > dict_file = /usr/share/dict/words
> > admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> > v4_mode = nopreauth
> >
> > [realms]
> > MY.REALM.COM = {
> > #master_key_type = des3-hmac-sha1
> > supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
> > des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
> > des-cbc-crc:v4 des-cbc-crc:afs3
> > }
> > ---------------------------------------
>
> Just that? I use this kind of configuration (more verbose for the
> realms stanza):
>
>
> [kdcdefaults]
> kdc_ports = 750,88
>
> [realms]
> KERBEROS.REALM = {
> database_name = /var/lib/krb5kdc/principal
> admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
> acl_file = /etc/krb5kdc/kadm5.acl
> key_stash_file = /etc/krb5kdc/stash
> kdc_ports = 750,88
> max_life = 24h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> master_key_type = des3-hmac-sha1
> supported_enctypes = des3-hmac-sha1:normal
> des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
> default_principal_flags = -preauth
> }
>
>
>
> > kadmin5.acl has just one line
> > ---------------------------------------
> > */admin at MY.REALM.COM *
> > ---------------------------------------
>
> */admin *
>
> Should do the work.
>
> Can you check the file owner/group and permissions for all the kerberos
> files? DB, directories and stuff... UID of the daemons... any other
> information since I read your post on starting kadmind directly :)
I am almost certain that selinux is causing the problem.
When I set selinux to 'enforcing', and start kerberos using
'/sbin/service kadmin start', kpasswd will trigger the error
'insufficient access to database'. If I start kerberos using 'kadmin'
directly, kpasswd will succeed.
When I set selinux to 'permissive' (effectively disabling selinux), and
start kerberos using '/sbin/service kadmin start', kpasswd will
succeed.
When selinux is in 'enforcing' mode, and kadmind is started using
'/sbin/service admin start', the process 'kadmind' runs in context
'kadmind_t'. When kadmind is started by root using 'kadmind', the
process 'kadmind' runs in context 'unconfined_t'.
I believe when 'kadmind' runs in context 'unconfined_t', it can
read/write all the configuration files, DB, etc. But if it runs in
context 'kadmin_t', some files are readonly. But changing password
definitely needs to write some files. That causes the error.
Now my question is: How do I set selinux so that kadmin can work
correctly? I prefer not to disable selinux.
Any insights would be appreciated.
More information about the Kerberos
mailing list