kadmin.local works but kadmin doesn't. kpasswd 'insufficient access to lock data base'
Jan Iven
jan.iven at cern.ch
Tue Jun 13 12:40:56 EDT 2006
On Tue, 2006-06-13 at 11:17 -0400, Jeffrey Hutzelman wrote:
..
> I'd suggest looking at the kadmind log and/or attaching strace to the
> running strace to see what file it's trying to access that is prohibited by
> policy. Then adjust the policy to correct the problem.
(btw, adjusting the policy is best done via bugzilla.redhat.com)
In addition to the above, you may want to check /var/log/messages for
entries like "avc: denied: ...." - all SELinux policy violations
should get logged either there or in /var/log/audit/audit.log.
A small helper tool "audit2why" tries to explain these somewhat terse
messages.
You might also want to check the security context associated with all
files involved, via "ls -Z ...." (SElinux stores this context usually in
extended attributes, they get inherited from the parent directory for
new files and will move with the file. Creating a config file in /tmp or
in a home directory, then "mv"ing it into place could explain why a
daemon later cannot read it...).
You can use /usr/sbin/restorecon to give files the "correct" context as
per the SELinux policy.
Hope this helps
Jan
More information about the Kerberos
mailing list