Information on "Kadmin.local" database lock error

Nico Williams nico at cryptonector.com
Tue Sep 11 23:46:11 EDT 2012


On Thu, Aug 23, 2012 at 3:14 PM, Tom Yu <tlyu at mit.edu> wrote:
> Abhilash S <abhilashvkm at gmail.com> writes:
>
>> yes correct, Kadmin.local will get database lock only after restarting KDC.
>>
>> But I can see KDC issues tickets, but "kadmin.local" fails.
>>
>> kadmin.local fails with message "Cannot lock database while changing
>> password for" (I saw this for create/delete priciple operations swell )
>
> That seems to match the symptoms of the Red Hat bug report
> https://bugzilla.redhat.com/show_bug.cgi?id=586032
>
> but I would like to understand the failure mode better before applying
> that fix.

Today Tom, Greg, and I worked on this and found a bug that results in
this symptom, but under unlikely circumstances: near as we can tell
the bug we found happens only when krb5kdc races against a kdb5_util
load, and it mostly only affects kadmind and kadmin.local.  But
normally kdb5_util load is never used on a master KDC and
kadmind/kadmin.local are never used on slave KDCs.  You mention
kadmin.local, but the RedHat bug report mentions kadmind --
kadmin.local is much more likely to be run on a slave KDC than
kadmind, so we almost certainly have root caused the bug affecting
you, but I'm not sure that we have root caused the RH bug.

Anyways, you can see the fix here:

https://github.com/nicowilliams/krb5/commit/1fdf1596ad9ef3032f5b7afb6c64cdceac21f8c0

A regression test is included that breaks without this fix but passes
with this fix.

Nico
--


More information about the Kerberos mailing list