Fw: Kerberos failed to create a principal

Ido Levy IDOL at il.ibm.com
Thu Nov 22 07:59:08 EST 2007 

Hello,

In continue to my e-mail below we detected the attribute DISALLOW_TGT_BASED
for the kadmin/admin principal.


      kadmin.local:  getprinc kadmin/admin at REALM
      Principal: kadmin/admin at REALM
      Expiration date: [never]
      Last password change:  Tue Oct 16 18:01:25 IST 2007
      Password expiration date: [none]
      Maximum ticket life: 0 day 03:00:00
      Maximum renewable life: 7 days 00:00:00
      Last modified: Wed Nov 21 15:02:00 IST 2007 (admin/admin at REALM)
      Last successful authentication: [never]
      Last failed authentication: [never]
      Failed password attempts: 0
      Number of keys: 4
      Key: vno 3, Triple DES cbc mode with HMAC/sha1,
      no salt
      Key: vno 3, ArcFour with HMAC/md5,
      no salt
      Key: vno 3, AES-256 CTS mode with 96-bit SHA-1 HMAC,
      no salt
      Key: vno 3, DES cbc mode with RSA-MD5,
      no salt

      Attributes:
            DISALLOW_TGT_BASED REQUIRES_PRE_AUTH
      Policy: [none]


Although that from googling we understand that it shouldn't be a problem we
unset this attribute for the kadmin/admin principal and it seems to
stabilize the system.

Does it make sense ?

Thanks,

Ido Levy

                                                                           
             Ido                                                           
             Levy/Haifa/IBM at IB                                             
             MIL                                                        To 
             Sent by:                  kerberos at mit.edu                    
             kerberos-bounces@                                          cc 
             mit.edu                                                       
                                                                   Subject 
                                       Kerberos failed to create a         
             21/11/2007 22:47          principal                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





Hello,

We are running kerberos server that use LDAP as his DB.
Until today everything works  fine but suddenly user creation failed as you
can see in the following example:

      kadmin.local:  addprinc -randkey user40
      NOTICE: no policy specified for user40 at REALM
      assigning "default". Note that policy may be overridden by
      ACL restrictions.
      Unable to randomize key for "user40 at REALM"
      Status 0x29c250c - Principal does not exist.

      kadmin.local:  getprinc user40
      Unable to retrieve principal "user40 at REALM"
            Status 0x29c250c - Principal does not exist.

The error message we get in kadmin.log file is:

      local6:err|error kadmin.local[782428]: LDAP:
/blddir/krb514/src/plugins/ldap/ira_entry.c(193), 32: LDAP_NO_SUCH_OBJECT


If you did encounter similar problem any advice/direction in how to
isolate/find/understand where is the problem would be appreciated.

Thank You !!

Ido Levy

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list