kadmin.local works but kadmin doesn't. kpasswd 'insufficient access to lock data base'

Jeffrey Hutzelman jhutz at cmu.edu
Tue Jun 13 11:17:35 EDT 2006

On Tuesday, June 13, 2006 03:00:20 AM -0400 Ken Raeburn <raeburn at mit.edu> 

> On Jun 12, 2006, at 16:03, bohongdxl at gmail.com wrote:
>> The whole problem is solved. Man page for 'kerberos_selinux'
>> essentailly says that selinux protection for krb5kdc and kadmind needs
>> to be turned off using the following commands:
> How odd.  I don't know anything about selinux, but I find it pretty
> strange that it wouldn't let you run two services that need to share
> a database in read-write mode...

It's not operating at that level.  SELinux applies additional constraints 
on what a process can do based on the context of that process, policy 
configuration, and the labels on files the process is trying to access.  As 
far as I can tell, process context is determined by a combination of 
inheritance and the security labels on executed files.

Fedora Core systems ship with two possible policy databases, which they 
call "strict" and "targeted".  The "strict" policy is a "default-closed" 
policy; only actions explicitly permitted by policy are permitted.  The 
"targeted" policy, which is the default, only applies restrictions to 
particular programs and daemons which are considered particularly risky. 
Mostly, this means things that provide network services (like kadmind) or 
run with more privileges than the user who invoked them (like su).

The OP's description indicates that when he runs kadmind by hand, it runs 
in the context 'unconfined_t', which should only happen in the 'targeted' 
policy (I'm not sure that type even exists in 'strict').  So, I'm going to 
assume that's the policy he's using.  In FC5, the 'targeted' policy allows 
kadmind write access to /var/kerberos/krb5kdc/principal.*, but not to any 
other files in that directory.

Setting the boolean 'kadmind_disable_trans' disables the transition into 
'kadmind_t' when kadmind is run by the init script.  So, it stays in 
whatever less-restrictive context the init script was running in, and can 
write to whatever file it's having problems with.

I'd suggest looking at the kadmind log and/or attaching strace to the 
running strace to see what file it's trying to access that is prohibited by 
policy.  Then adjust the policy to correct the problem.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the Kerberos mailing list