On 2004.09.03 14:14 Mike Friedman wrote:
A followup to my earlier note.
Just to make sure that my symptoms (described below) were not related to the fact that I was issuing 'kadmin' on the KDC itself, I built a 1.3.4 (with patches) on another system and tried kadmin there. I get the same result: a message that says
Couldn't open log file /var/log/kerberos/kerberos.log: Permission denied
I don't understand why client kadmin is trying to open a log file, especially with R/W access. It never did this on earlier releases.
Unfortunately, unless this can be changed, I may have to change a bunch of my scripts that parse the output of kadmin.
Is this supposed to be happening?
Mike
------------------------------------------------------------------------------ Mike Friedman System and Network Security [EMAIL PROTECTED] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu ------------------------------------------------------------------------------
---------- Forwarded message ---------- Date: Thu, 2 Sep 2004 19:10:59 -0700 (PDT) From: Mike Friedman <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: 1.3.4: kadmin tries to open log file R/W
I just installed (on my test KDC) krb5-1.3.4 along with the two recent patches (MITKRB5-SA-2004-002 and MITKRB5-SA-2004-003). One thing I notice is that when I use kadmin from a non-privileged user, I get this message:
Couldn't open log file /var/log/kerberos/kerberos.log: Permission denied
However, I am able to log in as administrator and my transactions do get logged on the KDC. It is the *client* kadmin that's trying to open the log file R/W, for some reason. The KDC, of course, which is the machine I'm doing this on, has the KDC log file configured in its krb5.conf(*).
This is a definite change from 1.2.7, which I was running before. In fact, if I use the kadmin from 1.2.7 against this same 1.3.4 KDC, I have no problem and don't get the above message.
Running 'truss' (this is Solaris 8), I see that kadmin is trying to open the log file R/W. Anyone know why this is, or should be?
(*) My krb5.conf on the KDC host has these entries, which are the same ones I used with 1.2.7:
[logging] kdc = FILE:/var/log/kerberos/kerberos.log admin_server = FILE:/var/log/kerberos/kerberos.log default = FILE:/var/log/kerberos/kerberos.log
I even tried changing the 'default' entry to a file in /tmp, in case kadmin was using that entry for some kind of local logging. But truss shows that kadmin is still trying to open /var/log/kerberos/kerberos.log R/W.
Any ideas?
Thanks.
Mike
------------------------------------------------------------------------------ Mike Friedman System and Network Security [EMAIL PROTECTED] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu ------------------------------------------------------------------------------ ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
-- ******************************** David William Botsch Consultant/Advisor II CCMR Computing Facility [EMAIL PROTECTED] ******************************** ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
