On Thu, Aug 23, 2012 at 3:14 PM, Tom Yu <[email protected]> wrote: > Abhilash S <[email protected]> writes: > >> yes correct, Kadmin.local will get database lock only after restarting KDC. >> >> But I can see KDC issues tickets, but "kadmin.local" fails. >> >> kadmin.local fails with message "Cannot lock database while changing >> password for" (I saw this for create/delete priciple operations swell ) > > That seems to match the symptoms of the Red Hat bug report > https://bugzilla.redhat.com/show_bug.cgi?id=586032 > > but I would like to understand the failure mode better before applying > that fix.
Today Tom, Greg, and I worked on this and found a bug that results in this symptom, but under unlikely circumstances: near as we can tell the bug we found happens only when krb5kdc races against a kdb5_util load, and it mostly only affects kadmind and kadmin.local. But normally kdb5_util load is never used on a master KDC and kadmind/kadmin.local are never used on slave KDCs. You mention kadmin.local, but the RedHat bug report mentions kadmind -- kadmin.local is much more likely to be run on a slave KDC than kadmind, so we almost certainly have root caused the bug affecting you, but I'm not sure that we have root caused the RH bug. Anyways, you can see the fix here: https://github.com/nicowilliams/krb5/commit/1fdf1596ad9ef3032f5b7afb6c64cdceac21f8c0 A regression test is included that breaks without this fix but passes with this fix. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
