Problem with Kerberos

Krishna Venigalla krishna.venigalla at gmail.com
Wed May 24 00:27:29 EDT 2006


Thank you Marcus for the reply.

Please find additional details about this problem:
 We are using MIT Kerberos V4 release 9 in our production system. The OS we
are using is UNIX-MPRAS which runs on NCR-5100 machines. This configuration
is same on the client side and the server side.

The exact description of the problem is:
Whenever we add a user with ID: 460280 (in HEX format) the Kerberos is
giving me a Database Read Error (KADM_UK_RERROR). This is due to the
corruption of the database.

The logs that are available from the Admin Server  are:

16-May-2006 15:10:47 request to add an entry for '460280.rdba' from
'rdba.admin at RDBA'
16-May-2006 15:10:47 FAILED addding '460280.rdba' (Database read error)
We tried simulation this problem in our Development Box using a utility
called tpsecure (which adds users to Kerberos) and we were facing the same
problem for this specific user ID only and the addition of the user to
Kerberos is failing. The Kerberos database size is increasing drastically
from 900MB to 1.4GB.

We also tried taking a dump of the Kerberos database but even that was
dumping continuously. The size of the dump increased to 800MB which is 14MB
in the normal scenario.

Any help with regard to this is appreciated.

Can anyone tell me how to set the debug level for the Admin Server because
the debug level I set is not getting reflected in the Admin Server.

Thanks in advance,
 Krishna

On 5/22/06, Marcus Watts <mdw at umich.edu> wrote:
>
> > Message-ID: <d12280ca0605200012m5d3d7cf2ib1ec9b10b9b28a3b at mail.gmail.com
> >
> > Date: Sat, 20 May 2006 07:12:22 +0000
> > From: "Krishna Venigalla" <krishna.venigalla at gmail.com>
> > To: kerberos at mit.edu
> > Subject: Problem with Kerberos
> >
> > Hi,
> >  This is Krishna. I am using Kerberos for authentication purpose in my
> > application. I am facing a problem when I add a new user id.
> >
> > The problem is that the Kerberos Admin Server is returning me "FAILED
> > addding '460280.rdba' (Database read error)." This strangely occurs when
> I
> > try to add a user with the ID:460280 (in HEX Format) i.e. 4588160 (in
> > Decimal Format). This is causing a serious issue in my production
> system.
> >
> > Can anyone help me out with this as this is a service impacting issue in
> my
> > System. Any help is appreciated.
> >
> > Thanks in advance,
> >  Krishna
>
> You'll get more useful help here if you can supply more detailed
> information regarding what software you are using and what
> you were doing when things went wrong.
>
> Ie,
> what vendor, product, and release of kerberos you are using:
>        MIT?  Heimdal?  (Sun?  Apple?  MicroSoft?  ...)
>        "kerberos v5"?  "kerberos for windows"?  "kerberos 4"? ...
>        1.2.8?  1.3.4?  1.4.3?  0.6.4?  0.7.2?  ...
> you should supply this for both the kdc (server) side,
> and the client side.  Additionally, you should also supply:
> hardware platform (sun ultra-5?  Dell 450/N?  Apple G4?)
> operating system & version (Solaris 8?  FreeBSD 4.7?  aix 5.3?)
> etc.
>
> You'll also want to describe more exactly what you were doing
> and what failed.  Is this an application you wrote?  Can you
> reproduct the error using just kadmin and simple command-line
> commands?  Can you include the exact output of a run of kadmin
> that reproduces the error?  Can you include log output or
> other additional diagnostic information that might further
> identify your problem?  Kerberos uses a character string
> comprised of printable "usascii" (7-bit) characters (with
> special processing of \ / @) to represent principal names, so your
> description of decimal vs. hexadecimal is very confusing to say
> the least.
>
> Off-hand, it appears you might have encountered what KTH
> calls "UK_RERROR" and what MIT calls KRB5_KDB_UK_RERROR,
> which in both cases might produce the message "Database read error".
> It appears to me this might be caused by an attempt to iterate a
> non-btree database, or maybe caused by a corrupt database.  Depending
> on the exact causes, you might need any or none of these:
>        examine the logs on the kdc to determine a previous
>                sequence of events and errors that lead to
>                the current situation.
>        run kadmind with strace to determine what's
>                really going on.
>        discover and fix an "out of space" problem on the hard drive.
>        install a different version of the OS or of kerberos
>        dump & restore the database
>        re-initialize the database with different initial parameters
>        diagnose & replace a defective hard disk
>        rebuild kerberos with a different compiler or compile options.
> You've not supplied enough information to eliminate any of
> these possible "fixes" -- or even enough information for
> anybody to give you good directions on how to do any of these.
>
>                                -Marcus Watts
>



More information about the Kerberos mailing list