I am forwarding this thread to the kerberos-discuss list, as per your recommendation...
> I'm glad we could help, Kevin. I'll let everyone know. > One of the engineers suggested you share your problem on > kerberos-discuss at opensolaris.org. That will give you access > to most of the people whom I got to review your problem. > > Jim Kevin Kammer wrote: > Mr. Siwila: > > Thanks, your advice certainly seems to have hit the nail on the head. > Having installed SUNWgssc in the zone, the kadmin service runs without > complaining. I don't know if I ever would have figured that out on my > own; or, to quote the bug report, "This problem is very difficult for > admins to diagnose." I second that! Might I assume that at some point in > the future, SUNWgssc might be registered as a dependency of SUNWkdc? > > There may be other bugs at work here, if as you say, the acl warning is > not supposed to kill kadmind. In my case, it certainly did. However, at > first glance, installing SUNWgssc seems to have fixed that. But in case > you are trying to diagnose deeper issues with the kadmind failure in > general, let me know if there is anything else I can do at my end to help. > > Thanks again, > Kevin > > Jim Siwila wrote: > >> Kevin, >> >> One of the Kerberos engineers suggests you check to see if SUNWgssc is >> installed in the ipkg zone. He said you may be running into >> >> http://defect.opensolaris.org/bz/show_bug.cgi?id=11823 >> >> The warning about the acl is non-fatal - the fact that kadmind is >> failing to start is a bigger problem. >> >> Please let me know what you see. Sounds like we may need to investigate >> further, but let's see what you come up with. >> >> Jim >> >> >> On 10/07/09 14:33, Kevin Kammer wrote: >> >>> Thank you again for your assistance in this matter. >>> >>> I should update you that I have just tested the same procedure in the >>> global zone, and the problem did not occur; kadmind runs fine in global >>> for me, but fails in an ipkg zone, with the same kdc configuration. >>> >>> Jim Siwila wrote: >>> >>> >>>> Thanks, Kevin. I'll see if we can figure this out. I'll try to get an >>>> answer by the end of the week, but if not, I'll give you status on where >>>> we are with it. >>>> >>>> Jim >>>> >>>> On 10/07/09 11:13, Kevin Kammer wrote: >>>> >>>> >>>>> Mr. Siwila: >>>>> >>>>> You may recall that we spoke briefly at the NEOSUG meeting last night, >>>>> regarding an error I have been experiencing while trying to set up a >>>>> kerberos kdc in an OpenSolaris zone. >>>>> >>>>> To be more specific, I ran "kdcmgr create master", providing the >>>>> necessary domain name and creating an admin principal. The kdc >>>>> generation script indicates success, but immediately after exiting, the >>>>> kadmind goes down. Here is the SMF info: >>>>> >>>>> root at kerberos:~# svcs -xv >>>>> svc:/network/security/kadmin:default (Kerberos administration daemon) >>>>> State: maintenance since Wed Oct 07 10:44:41 2009 >>>>> Reason: Restarting too quickly. >>>>> See: http://sun.com/msg/SMF-8000-L5 >>>>> See: man -M /usr/share/man -s 1M kadmind >>>>> See: /var/svc/log/network-security-kadmin:default.log >>>>> Impact: This service is not running. >>>>> >>>>> Checking the log indicates that kadmind is having a problem with the acls: >>>>> >>>>> (this segment is repeated many times in the log, until the start method >>>>> exits for "Restarting too quickly") >>>>> >>>>> [ Oct 7 10:44:41 Executing start method ("/usr/lib/krb5/kadmind"). ] >>>>> kadmind: Warning: acls may not be properly configured: failed to find an >>>>> acl matching the default realm "KAMMER.WESTELL.COM" in /etc/krb5/kadm5.acl >>>>> kadmind: logging to FILE=/var/krb5/kdc.log >>>>> [ Oct 7 10:44:41 Method "start" exited with status 0. ] >>>>> [ Oct 7 10:44:41 Stopping because all processes in service exited. ] >>>>> [ Oct 7 10:44:41 Executing stop method (:kill). ] >>>>> [ Oct 7 10:44:41 Restarting too quickly, changing state to maintenance. ] >>>>> >>>>> However, when I check the acl file, everything seems to be in order: >>>>> >>>>> kevin/admin at KAMMER.WESTELL.COM acmil >>>>> >>>>> kiprop/*...@kammer.westell.com p >>>>> >>>>> This was the default acl configuration created by the kdcmgr script, and >>>>> it seems to match the correct format for manual configuration as well (I >>>>> have been through the manual configuration steps provided at >>>>> http://docs.sun.com/app/docs/doc/819-3321/setup-1?a=view and the >>>>> auto-configuration would appear to be correct). Yet, for some reason, >>>>> kadmind complains that the realm is not covered by the acl, yet it sure >>>>> looks to me like it is. >>>>> >>>>> I greatly appreciate any help/advice you can come up with. I'm sure I >>>>> will be embarrassed by whatever silly mistake it is that I am making, >>>>> but so far it seems like I have done everything I am supposed to. >>>>> >>>>> Thanks, >>>>> Kevin Kammer >>>>> >>>>> >>>>>
