YANG ChengFu <youngs...@gmail.com> writes: > my webdkc had been working for about 2 months without any problems, > today I got the following error message from webkdc
> [error] mod_webkdc: create_service_token_from_req:webauth_token_create > failed: item not found while searching (no valid keys found) (12) > [Tue Jan 01 04:30:21 2013] [notice] mod_webkdc: event=getTokens > from=10.136.192.34 server=krb5:weba...@example.org user=<unknown> > errorCode=7 errorMessage="token create failed" This means that the keyring on the WebKDC doesn't have any keys that are currently valid. If you run wa_keyring -f <path> list on the path to the keyring on the WebKDC (the one used by mod_webkdc), you'll see something like: Path: keyring id Created Valid after Fingerprint 0 2011-06-22 14:44:46 2011-06-21 14:44:46 b6dfdcdcd33a8064fc857db5e5ce843c Take a look at the "Valid after" field. You probably don't have any valid keys in the keyring that have a "Valid after" date in the past. Usually this happens because you've disabled automatic key rotation (usually because you have multiple WebKDCs) by turning off WebKdcKeyringAutoUpdate, but your wa_keyring cron job to rotate the keys isn't correct. Perhaps it's garbage-collecting all the valid keys but not adding a new one? Take a look at the section in the mod_webkdc manual on setting up multiple WebKDCs for more details about how to run wa_keyring to maintain the keyring. -- Russ Allbery <ea...@windlord.stanford.edu> Technical Lead, ITS Infrastructure Delivery Group, Stanford University
