Just so you know, we are seeing the same thing here with kerberos 1.3.4. kadmin on any client gives that error message.

On 2004.09.03 14:14 Mike Friedman wrote:
A followup to my earlier note.

Just to make sure that my symptoms (described below) were not related
to
the fact that I was issuing 'kadmin' on the KDC itself, I built a
1.3.4
(with patches) on another system and tried kadmin there.  I get the
same
result:  a message that says

  Couldn't open log file /var/log/kerberos/kerberos.log: Permission
denied

I don't understand why client kadmin is trying to open a log file,
especially with R/W access.  It never did this on earlier releases.

Unfortunately, unless this can be changed, I may have to change a
bunch of
my scripts that parse the output of kadmin.

Is this supposed to be happening?

Mike

------------------------------------------------------------------------------
Mike Friedman                             System and Network Security
[EMAIL PROTECTED]                    2484 Shattuck Avenue
1-510-642-1410                            University of California at
Berkeley
http://ack.Berkeley.EDU/~mikef            http://security.berkeley.edu
------------------------------------------------------------------------------

---------- Forwarded message ----------
Date: Thu, 2 Sep 2004 19:10:59 -0700 (PDT)
From: Mike Friedman <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: 1.3.4:  kadmin tries to open log file R/W

I just installed (on my test KDC) krb5-1.3.4 along with the two recent
patches (MITKRB5-SA-2004-002 and MITKRB5-SA-2004-003). One thing I
notice
is that when I use kadmin from a non-privileged user, I get this
message:

  Couldn't open log file /var/log/kerberos/kerberos.log: Permission
denied

However, I am able to log in as administrator and my transactions do
get
logged on the KDC.  It is the *client* kadmin that's trying to open
the
log file R/W, for some reason.  The KDC, of course, which is the
machine
I'm doing this on, has the KDC log file configured in its
krb5.conf(*).

This is a definite change from 1.2.7, which I was running before.  In
fact, if I use the kadmin from 1.2.7 against this same 1.3.4 KDC, I
have
no problem and don't get the above message.

Running 'truss' (this is Solaris 8), I see that kadmin is trying to
open
the log file R/W.  Anyone know why this is, or should be?

(*) My krb5.conf on the KDC host has these entries, which are the same
ones I used with 1.2.7:

   [logging]
        kdc = FILE:/var/log/kerberos/kerberos.log
        admin_server = FILE:/var/log/kerberos/kerberos.log
        default = FILE:/var/log/kerberos/kerberos.log

I even tried changing the 'default' entry to a file in /tmp, in case
kadmin was using that entry for some kind of local logging.  But truss
shows that kadmin is still trying to open
/var/log/kerberos/kerberos.log
R/W.

Any ideas?

Thanks.

Mike

------------------------------------------------------------------------------
Mike Friedman                             System and Network Security
[EMAIL PROTECTED]                    2484 Shattuck Avenue
1-510-642-1410                            University of California at
Berkeley
http://ack.Berkeley.EDU/~mikef            http://security.berkeley.edu
------------------------------------------------------------------------------
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos


-- ******************************** David William Botsch Consultant/Advisor II CCMR Computing Facility [EMAIL PROTECTED] ******************************** ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to