Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
control: tags -1 moreinfo I took the following steps: 1) create a new sid chroot. 2) apt-get update 3) apt-get install krb5-user As part of 3 krb5-config got installed and because of my DNS I was prompted to configure my krb5.conf. I entered the realm I was going to create (EXAMPLE.COM) but specified no kerberos or admin servers when prompted. 4) apt-get install krb5-admin-server 5) krb5_newrealm I then looked and confirmed that the database was in /var/lib/krb5kdc so, at least for me, the software works as intended. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
None. On Wed, Feb 11, 2015 at 11:19 AM, Sam Hartman hartm...@debian.org wrote: Do you see any differences in /etc/krb5.conf or /etc/krb5kdc/kdc.conf in the successful vs unsuccessful situations?
Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
Do you see any differences in /etc/krb5.conf or /etc/krb5kdc/kdc.conf in the successful vs unsuccessful situations? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
Ben is correct. Installing krb5-{admin-server,kdc} in jessie will install
the database in /var/lib by default when no krb5-user package exists.
However, I was able to reproduce the problem of a database being installed
under /etc/krb5kdc three times in a row when the krb5-user package was
installed and configured before krb5-{admin-server,kdc}.
Procedure:
I cloned our production lxc linux container running kerberos/jessie/systemd
into a test container; entitled red. Here are the steps to install a
database under /etc/krb5kdc:
1. apt-get purge krb5-{config,user,kdc,admin-server} ; apt-get
autoremove ; apt-get clean
2. rm -fr /var/lib/k* /etc/krb5kdc
3. apt-get install krb5-user
4. cp krb5.conf krb5.keytab /etc # good working
production files
5. klist #
verify no key exists
6. kinit erik#
obtain a ticket
7. klist #
verify a ticket exists
8. apt-get install krb5-{admin-server,kdc} # Hit return at Ok
prompt to read README.kdc
9. krb5_newrealm # Immediately
run this command. Enter password foo. There might be a race condition.
Attached to this email is krb5_newrealm.out that is the output from the
krb5_newrealm command using the linux script command. It shows the database
being configured under /etc/krb5kdc. I also ls -l (lc alias) the
/etc/krb5kdc directory to show the database files.
I am not sure if the kinit principal step is really necessary. It seems
like the problem lies with krb5-user being installed and configured before
krb5-{admin-server,kdc}. If krb5-user is not installed, apt-get will
install krb5-user as a dependency and the installation order seems to
prevent a database being installed under /etc/krb5kdc. All I can say is
that the above steps are repeatable. I don't think I can reproduce the
problem with apt-get install krb5-{kdc,admin-server}.
There is no significant difference between the krb5-user package
/etc/krb5.conf and our production /etc/krb5.conf other than adding our
default_realm, kdc = , admin_server = and domain_realm .? entries. Its
very plain.
On Tue, Feb 10, 2015 at 2:02 PM, Benjamin Kaduk ka...@mit.edu wrote:
On Tue, 10 Feb 2015, Sam Hartman wrote:
Ben, any thoughts here?
I did some testing, and the krb5_newrealm in jessie produces my database
in /var/lib by default.
However, as Sam noted, if there is existing configuration in krb5.conf or
kdc.conf, that can causes different paths to be used.
Additionally, in my initial test, I had a local build of krb5 intalled in
/usr/local at the front of my path, which had different default paths than
the debian build. (That is, my /usr/local/sbin/kdb5_util did default to
putting the database in /etc/krb5kdc/.)
Perhaps Erik could run kdb5_util manually from an absolute path, and
confirm the default_realm in krb5.conf? Using something other than
EXAMPLE.COM for redaction would probably help disambiguate.
-Ben
krb5_newrealm.out
Description: Binary data
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
Is your realm actually called EXAMPLE.COM? my guess is that somehow the realm in kdc.conf was incorrect and so that stanza is not being used. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
On Tue, 10 Feb 2015, Erik Haller wrote: What is telling kadmind to use the /etc/krb5kdc directory? configure script? Because the /etc/krb5kdc/kdc.conf points - /var/lib and it runs just fine with the databases under /etc. Hmm, http://anonscm.debian.org/cgit/pkg-k5-afs/debian-krb5-2013.git/tree/debian/rules?id=558ecb8b1706677305f3839d9913aec3a619da7e#n66 does seem to invoke localstatedir=/etc -Ben -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
Erik == Erik Haller erik.hal...@gmail.com writes: Erik What is telling kadmind to use the /etc/krb5kdc directory? Erik configure script? Because the /etc/krb5kdc/kdc.conf points - Erik /var/lib and it runs just fine with the databases under Erik /etc. That's the big question, yes. The only thing I know of that normally causes this is when the realm the KDC thinks it is serving for is not the same as the realm it's actually serving for and the config stanza gets ignored. I'm hoping one of the other maintainers (Ben) will comment on other things to check. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
Yeah, but the config file should override that. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
No, I cannot reproduce. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
What conf file is krb5_newrealm using? Message #40 shows it pointing to /var/lib/ What is the long term goal here? Which files need to reside under /etc/krb5kdc? Just the principle database, lock file? What about the kadm5.acl and stash file? Are these variable enough to also reside under /var/lib ...? On 2/10/15 12:03 PM, Sam Hartman wrote: No, I cannot reproduce. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
OK, so the default_realm in /etc/krb5.conf matches the realm in kdc.conf and yet the kdc is not using /var/lib/krb5kdc. Ben, any thoughts here? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
What is telling kadmind to use the /etc/krb5kdc directory? configure script? Because the /etc/krb5kdc/kdc.conf points - /var/lib and it runs just fine with the databases under /etc. On 2/10/15 12:36 PM, Sam Hartman wrote: The database (principal and principal.*) live under /var/lib. The ACL and stash file live in /etc/krb5kdc. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
No. I replaced the realm for the report. On 2/10/15 9:38 AM, Sam Hartman wrote: Is your realm actually called EXAMPLE.COM? my guess is that somehow the realm in kdc.conf was incorrect and so that stanza is not being used. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
Yes. The default realm is not EXAMPLE.COM. The krb5_newrealm shows the problem. It's using /etc . I have the .bash_history as root. I can give you the exact commands used to installed kdc/krb5-admin-server. But if you run krb5_newrealm on your server right now, it should reproduce /etc as the default database directory. Can you repeat this? Thank you for our help. On 2/10/15 11:44 AM, Sam Hartman wrote: OK, so the default_realm in /etc/krb5.conf matches the realm in kdc.conf and yet the kdc is not using /var/lib/krb5kdc. Ben, any thoughts here? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
The database (principal and principal.*) live under /var/lib. The ACL and stash file live in /etc/krb5kdc. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
On Tue, 10 Feb 2015, Sam Hartman wrote: Ben, any thoughts here? I did some testing, and the krb5_newrealm in jessie produces my database in /var/lib by default. However, as Sam noted, if there is existing configuration in krb5.conf or kdc.conf, that can causes different paths to be used. Additionally, in my initial test, I had a local build of krb5 intalled in /usr/local at the front of my path, which had different default paths than the debian build. (That is, my /usr/local/sbin/kdb5_util did default to putting the database in /etc/krb5kdc/.) Perhaps Erik could run kdb5_util manually from an absolute path, and confirm the default_realm in krb5.conf? Using something other than EXAMPLE.COM for redaction would probably help disambiguate. -Ben -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
Package: krb5-admin-server Version: 1.12.1+dfsg-16 Severity: important Tags: patch The systemd krb5-admin-server.service file is missing the critical directory /etc/krb5kdc used by kadmind in the ReadWriteDirectories stanza. The kerberose default database location is created under /etc/krb5kdc. The location must be writeable. The krb5-admi-server.service file makes it readonly. Attempting to use kadmin to add a kerberos principal will receive the following error at the kadmin prompt: kadmin: add_principal -randkey host/somehost ... add_principal: Insufficient access to lock database while creating host/someh...@example.com. Workaround: 1) Add /etc/krb5kdc to the ReadWriteDirectories stanza. 2) Restart krb5-admin-server systemd service. -- System Information: Debian Release: 8.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) 11c11 ReadWriteDirectories=/var/tmp /tmp /var/lib/krb5kdc /var/run /run --- ReadWriteDirectories=/var/tmp /tmp /var/lib/krb5kdc /var/run /run /etc/krb5kdc
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
Erik Haller erik.hal...@gmail.com writes: Incidentally, the output from krb5_newrealm (latest version) shows: root@lime:t# krb5_newrealm This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/etc/krb5kdc/principal' for realm 'EXAMPLE.COM', master key name 'K/m...@example.com' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Looks like krb5_newrealm is choosing a default location of /etc/krb5kdc instead of /var ... Yeah, it sure does. I think that's the bug rather than the krb5-admin-server configuration, since that stuff is really supposed to be in /var/lib/krb5kdc. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
The database was created fresh with krb5_newrealm in an lxc container. No Kerberos KDC existed previously. I did not configure the database location differently. This was my first Kerberos installation. On Mon, Feb 9, 2015 at 9:52 PM, Russ Allbery r...@debian.org wrote: Erik Haller erik.hal...@gmail.com writes: Yes. These files reside under /etc/krb5kdc: principal principal.kadm5 principal.kadm5.lock principal.ok kdc.conf .k5.EXAMPLE.COM Hm. When was this KDC created / initialized? (In other words, was it just now set up fresh, or is this an existing Kerberos KDC that you've upgraded?) Just to ask the obvious question, are you sure you didn't configure the database location somewhere? -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
Erik erik.hal...@gmail.com writes: The systemd krb5-admin-server.service file is missing the critical directory /etc/krb5kdc used by kadmind in the ReadWriteDirectories stanza. The kerberose default database location is created under /etc/krb5kdc. Er, it certainly shouldn't be. The Kerberos KDC database goes under /var/lib/krb5kdc. Is there some new bug here? Attempting to use kadmin to add a kerberos principal will receive the following error at the kadmin prompt: kadmin: add_principal -randkey host/somehost ... add_principal: Insufficient access to lock database while creating host/someh...@example.com. Workaround: 1) Add /etc/krb5kdc to the ReadWriteDirectories stanza. 2) Restart krb5-admin-server systemd service. And that makes that error message go away? Hrm. I wonder what file is being locked. Are you sure that your database is in /etc/krb5kdc? It's a file named principal. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
Erik Haller erik.hal...@gmail.com writes: Yes. These files reside under /etc/krb5kdc: principal principal.kadm5 principal.kadm5.lock principal.ok kdc.conf .k5.EXAMPLE.COM Hm. When was this KDC created / initialized? (In other words, was it just now set up fresh, or is this an existing Kerberos KDC that you've upgraded?) Just to ask the obvious question, are you sure you didn't configure the database location somewhere? -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
I setup kerberos a few months ago. My .bash_history file shows it was installed with apt-get install krb5-admin-server The version of krb5-admin-server was 1.12.1+dfsg-1 according to /var/log/apt.history. I then installed krb5-kdc, dpkg-reconfigure -plow krb5-kdc, and then configured with krb5_newrealm. I would look in the krb5_newrealm in version 1.12.1+dfsg-1. I have upgraded since then. This bug report shows version 1.12.1+dfsg-16. Incidentally, the output from krb5_newrealm (latest version) shows: root@lime:t# krb5_newrealm This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/etc/krb5kdc/principal' for realm 'EXAMPLE.COM', master key name 'K/m...@example.com' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Looks like krb5_newrealm is choosing a default location of /etc/krb5kdc instead of /var ... On Mon, Feb 9, 2015 at 9:52 PM, Russ Allbery r...@debian.org wrote: Erik Haller erik.hal...@gmail.com writes: Yes. These files reside under /etc/krb5kdc: principal principal.kadm5 principal.kadm5.lock principal.ok kdc.conf .k5.EXAMPLE.COM Hm. When was this KDC created / initialized? (In other words, was it just now set up fresh, or is this an existing Kerberos KDC that you've upgraded?) Just to ask the obvious question, are you sure you didn't configure the database location somewhere? -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
/etc/krb5kdc/kdc.conf:
[kdcdefaults]
kdc_ports = 750,88
[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal
des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm
des:onlyrealm des:afs3
default_principal_flags = +preauth
}
The /var/lib/krb5kdc directory is empty. The /etc/krb5kdc directory must be
compiled into kadmind as a default because I do not see a conf file that
tells kadmind where to look.
On Mon, Feb 9, 2015 at 10:21 PM, Russ Allbery r...@debian.org wrote:
Erik Haller erik.hal...@gmail.com writes:
Incidentally, the output from krb5_newrealm (latest version) shows:
root@lime:t# krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/etc/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/m...@example.com'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Looks like krb5_newrealm is choosing a default location of /etc/krb5kdc
instead of /var ...
Yeah, it sure does.
I think that's the bug rather than the krb5-admin-server configuration,
since that stuff is really supposed to be in /var/lib/krb5kdc.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
Bug#777579: Fwd: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database
-- Forwarded message -- From: Erik Haller erik.hal...@gmail.com Date: Mon, Feb 9, 2015 at 9:42 PM Subject: Re: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database To: Russ Allbery r...@debian.org Yes. These files reside under /etc/krb5kdc: principal principal.kadm5 principal.kadm5.lock principal.ok kdc.conf .k5.EXAMPLE.COM On Mon, Feb 9, 2015 at 9:39 PM, Russ Allbery r...@debian.org wrote: Erik erik.hal...@gmail.com writes: The systemd krb5-admin-server.service file is missing the critical directory /etc/krb5kdc used by kadmind in the ReadWriteDirectories stanza. The kerberose default database location is created under /etc/krb5kdc. Er, it certainly shouldn't be. The Kerberos KDC database goes under /var/lib/krb5kdc. Is there some new bug here? Attempting to use kadmin to add a kerberos principal will receive the following error at the kadmin prompt: kadmin: add_principal -randkey host/somehost ... add_principal: Insufficient access to lock database while creating host/someh...@example.com. Workaround: 1) Add /etc/krb5kdc to the ReadWriteDirectories stanza. 2) Restart krb5-admin-server systemd service. And that makes that error message go away? Hrm. I wonder what file is being locked. Are you sure that your database is in /etc/krb5kdc? It's a file named principal. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
