kadmin.local works but kadmin doesn't. kpasswd 'insufficient access to lock data base'

Jeffrey Hutzelman jhutz at cmu.edu
Tue Jun 13 14:03:07 EDT 2006

On Tuesday, June 13, 2006 06:40:56 PM +0200 Jan Iven <jan.iven at cern.ch> 

> On Tue, 2006-06-13 at 11:17 -0400, Jeffrey Hutzelman wrote:
> ..
>> I'd suggest looking at the kadmind log and/or attaching strace to the
>> running strace to see what file it's trying to access that is prohibited
>> by  policy.  Then adjust the policy to correct the problem.
> (btw, adjusting the policy is best done via bugzilla.redhat.com)
> In addition to the above, you may want to check /var/log/messages for
> entries like "avc:  denied: ...."  - all SELinux policy violations
> should get logged either there or in /var/log/audit/audit.log.

Not in every case.  I no longer have the policy data in front of me, but if 
I recall correctly, the policy explicitly suppresses auditing of failed 
attempts by kadmind to write to files in /var/kerberos/krb5kdc.  Similarly, 
failed attempts to write to the krb5.conf file are generally not audited, 
because the config library tests the file for writability, and whoever was 
writing the policy apparently decided that made it too chatty.

More information about the Kerberos mailing list