kadmin.local works but kadmin doesn't. kpasswd 'insufficient access to lock data base'

Jan Iven jan.iven at cern.ch
Tue Jun 13 12:40:56 EDT 2006

On Tue, 2006-06-13 at 11:17 -0400, Jeffrey Hutzelman wrote:
> I'd suggest looking at the kadmind log and/or attaching strace to the 
> running strace to see what file it's trying to access that is prohibited by 
> policy.  Then adjust the policy to correct the problem.

(btw, adjusting the policy is best done via bugzilla.redhat.com)

In addition to the above, you may want to check /var/log/messages for
entries like "avc:  denied: ...."  - all SELinux policy violations
should get logged either there or in /var/log/audit/audit.log.

A small helper tool "audit2why" tries to explain these somewhat terse

You might also want to check the security context associated with all
files involved, via "ls -Z ...." (SElinux stores this context usually in
extended attributes, they get inherited from the parent directory for
new files and will move with the file. Creating a config file in /tmp or
in a home directory, then "mv"ing it into place could explain why a
daemon later cannot read it...).

You can use /usr/sbin/restorecon to give files the "correct" context as
per the SELinux policy.

Hope this helps

More information about the Kerberos mailing list