Cannot lock database

Nate Johnson natejohn at iu.edu
Mon Sep 17 11:46:36 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are having recurrent problems with kadmind not being able to lock the
kerberos database. Here is an example:

This is from my kadmin client:
$ /usr/sbin/kadmin
Authenticating as principal natejohn/admin at IU.EDU with password.
Password for natejohn/admin at IU.EDU:
kadmin:  delprinc smtp/<fqdn>@IU.EDU
Are you sure you want to delete the principal "smtp/<fqdn>@IU.EDU"?
(yes/no): yes
delete_principal: Unknown code adb 10 while deleting principal
"smtp/<fqdn>@IU.EDU"

This is from the master kdc's logs:
  Sep 17 15:11:20 <kdc> kadmind[5951]: Request: kadm5_randkey_principal,
smtp/<fqdn>@IU.EDU, Cannot lock database, client=natejohn/admin at IU.EDU,
service=kadmin/admin at IU.EDU, addr=<ip address>

In the past we have seen the entropy pool dry up on the master kdc, and
have thought that it was the problem, but this morning
/proc/sys/kernel/random/entropy_avail hovered steadily around 8192 during
the period we were having problems.

The only solution we've found so far is to reboot the master kdc. We have
a system of redundant kdc's so this doesn't interrupt normal transactions,
but is clearly not an ideal solution.

I'd be happy to file a bug report if that's needed.

Please advise, Thanks,
Nate Johnson

- --
* Nate Johnson, Lead Security Engineer, GCIH
* University Information Security Office, Indiana University
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFG7qFcGQUVGJudcw4RAuIuAJ0QfAnexEP6+Rshb5JKkoviAHAEnACfSdzU
h3+cXno/gpl9FC9k5YGuWcQ=
=N2Xa
-----END PGP SIGNATURE-----



More information about the Kerberos mailing list