kadmin.local works but kadmin doesn't. kpasswd 'insufficient access to lock data base'

Mon Jun 12 14:59:35 EDT 2006

On 2006-06-11 21:27:51 +0200, bohongdxl at gmail.com said:

> krb5.conf
> ---------------------------------------
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = MY.REALM.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  forwardable = yes
> 
> [realms]
>  MY.REALM.COM = {
>   kdc = MY.REALM.COM:88
>   admin_server = MY.REALM.COM:749
>   default_domain = realm.com
>  }

These lines should contain host names. This would suffice (using 
standard ports):

[realms]
MY.REALM.COM = {
	kdc = hostkdc.my.realm.com
	admin_server = hostadmin.myrealm.com
}

> [domain_realm]
>  .realm.com = MY.REALM.COM

Add the mapping

realm.com = MY.REALM.COM

And check for the domain/realm mapping bug (solved by removing any 
mapping here), I've been facing this problem.

> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf

For the client side? Why?

> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }

Ok.

> kdc.conf
> ---------------------------------------
> [kdcdefaults]
>  acl_file = /var/kerberos/krb5kdc/kadm5.acl
>  dict_file = /usr/share/dict/words
>  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>  v4_mode = nopreauth
> 
> [realms]
>  MY.REALM.COM = {
>   #master_key_type = des3-hmac-sha1
>   supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
> des-cbc-crc:v4 des-cbc-crc:afs3
>  }
> ---------------------------------------

Just that? I use this kind of configuration (more verbose for the 
realms stanza):

[kdcdefaults]
        kdc_ports = 750,88

[realms]
KERBEROS.REALM = {
                database_name = /var/lib/krb5kdc/principal
                admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
                acl_file = /etc/krb5kdc/kadm5.acl
                key_stash_file = /etc/krb5kdc/stash
                kdc_ports = 750,88
                max_life = 24h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
                master_key_type = des3-hmac-sha1
                supported_enctypes = des3-hmac-sha1:normal 
des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
                default_principal_flags = -preauth
        }

> kadmin5.acl has just one line
> ---------------------------------------
> */admin at MY.REALM.COM  *
> ---------------------------------------

*/admin *

Should do the work.

Can you check the file owner/group and permissions for all the kerberos 
files? DB, directories and stuff... UID of the daemons... any other 
information since I read your post on starting kadmind directly :)

-- 
Sensei <senseiwa at mac.com>

The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true.      [J. Robert Oppenheimer]