kadmin.local works but kadmin doesn't. kpasswd 'insufficient access to lock data base'

bohongdxl@gmail.com bohongdxl at gmail.com
Mon Jun 12 16:03:44 EDT 2006 

bohongdxl at gmail.com wrote:
> Sensei wrote:
> > On 2006-06-11 21:27:51 +0200, bohongdxl at gmail.com said:
> >
> > > krb5.conf
> > > ---------------------------------------
> > > [logging]
> > >  default = FILE:/var/log/krb5libs.log
> > >  kdc = FILE:/var/log/krb5kdc.log
> > >  admin_server = FILE:/var/log/kadmind.log
> > >
> > > [libdefaults]
> > >  default_realm = MY.REALM.COM
> > >  dns_lookup_realm = false
> > >  dns_lookup_kdc = false
> > >  ticket_lifetime = 24h
> > >  forwardable = yes
> > >
> > > [realms]
> > >  MY.REALM.COM = {
> > >   kdc = MY.REALM.COM:88
> > >   admin_server = MY.REALM.COM:749
> > >   default_domain = realm.com
> > >  }
> >
> > These lines should contain host names. This would suffice (using
> > standard ports):
> >
> > [realms]
> > MY.REALM.COM = {
> > 	kdc = hostkdc.my.realm.com
> > 	admin_server = hostadmin.myrealm.com
> > }
> >
> > > [domain_realm]
> > >  .realm.com = MY.REALM.COM
> >
> > Add the mapping
> >
> > realm.com = MY.REALM.COM
> >
> > And check for the domain/realm mapping bug (solved by removing any
> > mapping here), I've been facing this problem.
> >
> > > [kdc]
> > >  profile = /var/kerberos/krb5kdc/kdc.conf
> >
> > For the client side? Why?
> >
> > > [appdefaults]
> > >  pam = {
> > >    debug = false
> > >    ticket_lifetime = 36000
> > >    renew_lifetime = 36000
> > >    forwardable = true
> > >    krb4_convert = false
> > >  }
> >
> > Ok.
> >
> > > kdc.conf
> > > ---------------------------------------
> > > [kdcdefaults]
> > >  acl_file = /var/kerberos/krb5kdc/kadm5.acl
> > >  dict_file = /usr/share/dict/words
> > >  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> > >  v4_mode = nopreauth
> > >
> > > [realms]
> > >  MY.REALM.COM = {
> > >   #master_key_type = des3-hmac-sha1
> > >   supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
> > > des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
> > > des-cbc-crc:v4 des-cbc-crc:afs3
> > >  }
> > > ---------------------------------------
> >
> > Just that? I use this kind of configuration (more verbose for the
> > realms stanza):
> >
> >
> > [kdcdefaults]
> >         kdc_ports = 750,88
> >
> > [realms]
> > KERBEROS.REALM = {
> >                 database_name = /var/lib/krb5kdc/principal
> >                 admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
> >                 acl_file = /etc/krb5kdc/kadm5.acl
> >                 key_stash_file = /etc/krb5kdc/stash
> >                 kdc_ports = 750,88
> >                 max_life = 24h 0m 0s
> >                 max_renewable_life = 7d 0h 0m 0s
> >                 master_key_type = des3-hmac-sha1
> >                 supported_enctypes = des3-hmac-sha1:normal
> > des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
> >                 default_principal_flags = -preauth
> >         }
> >
> >
> >
> > > kadmin5.acl has just one line
> > > ---------------------------------------
> > > */admin at MY.REALM.COM  *
> > > ---------------------------------------
> >
> > */admin *
> >
> > Should do the work.
> >
> > Can you check the file owner/group and permissions for all the kerberos
> > files? DB, directories and stuff... UID of the daemons... any other
> > information since I read your post on starting kadmind directly :)
>
> I am almost certain that selinux is causing the problem.
>
> When I set selinux to 'enforcing', and start kerberos using
> '/sbin/service kadmin start', kpasswd will trigger the error
> 'insufficient access to database'. If I start kerberos using 'kadmin'
> directly, kpasswd will succeed.
>
> When I set selinux to 'permissive' (effectively disabling selinux), and
> start kerberos using '/sbin/service kadmin start', kpasswd will
> succeed.
>
> When selinux is in 'enforcing' mode, and kadmind is started using
> '/sbin/service admin start', the process 'kadmind' runs in context
> 'kadmind_t'. When kadmind is started by root using 'kadmind', the
> process 'kadmind' runs in context 'unconfined_t'.
>
> I believe when 'kadmind' runs in context 'unconfined_t', it can
> read/write all the configuration files, DB, etc. But if it runs in
> context 'kadmin_t', some files are readonly. But changing password
> definitely needs to write some files. That causes the error.
>
> Now my question is: How do I set selinux so that kadmin can work
> correctly? I prefer not to disable selinux.
>
> Any insights would be appreciated.


The whole problem is solved. Man page for 'kerberos_selinux'
essentailly says that selinux protection for krb5kdc and kadmind needs
to be turned off using the following commands:

              setsebool -P krb5kdc_disable_trans 1
              service krb5kdc restart
              setsebool -P kadmind_disable_trans booleans 1
              service kadmind restart

I did this using the system-config-securitylevel  GUI tool.

Now kerberos as well as kadmin are working fine.

I am a little curious that nobody posted similar problems on the
internet. The default installation of fedora 5 enables selinux, whose
default setting conflicts with kerberos. So I guess everyone else KNOWS
the issue so well that they natually confiure selinux after installing
kerberos.

More information about the Kerberos mailing list