Hello Russ, thanks for your quick reply, finally I figured what happened, I used the following cron job to create keyring fils
sudo -u www-data wa_keyring -f /var/lib/webkdc/keyring add 2d sudo -u www-data wa_keyring -f /var/lib/webkdc/keyring gc -60d apache2ctl graceful for host in bulger.mdc; do rsync -av -e 'ssh' /var/lib/webkdc/keyring $host:/var/lib/webkdc/keyring ssh $host apache2ctl graceful done but it does not works. So I have to enable WebKdcKeyringAutoUpdate, then apache create the keyring, then it work the two ways to create keyring are in the same place, I am not sure what I should do ? Any suggestions will be appreciated ! -- Yang Orange Key: 35745318S1 On Tue, Jan 1, 2013 at 12:08 AM, Russ Allbery <ea...@windlord.stanford.edu>wrote: > YANG ChengFu <youngs...@gmail.com> writes: > > > my webdkc had been working for about 2 months without any problems, > > today I got the following error message from webkdc > > > [error] mod_webkdc: create_service_token_from_req:webauth_token_create > > failed: item not found while searching (no valid keys found) (12) > > [Tue Jan 01 04:30:21 2013] [notice] mod_webkdc: event=getTokens > > from=10.136.192.34 server=krb5:weba...@example.org user=<unknown> > > errorCode=7 errorMessage="token create failed" > > This means that the keyring on the WebKDC doesn't have any keys that are > currently valid. > > If you run wa_keyring -f <path> list on the path to the keyring on the > WebKDC (the one used by mod_webkdc), you'll see something like: > > Path: keyring > > id Created Valid after Fingerprint > 0 2011-06-22 14:44:46 2011-06-21 14:44:46 > b6dfdcdcd33a8064fc857db5e5ce843c > > Take a look at the "Valid after" field. You probably don't have any valid > keys in the keyring that have a "Valid after" date in the past. > > Usually this happens because you've disabled automatic key rotation > (usually because you have multiple WebKDCs) by turning off > WebKdcKeyringAutoUpdate, but your wa_keyring cron job to rotate the keys > isn't correct. Perhaps it's garbage-collecting all the valid keys but not > adding a new one? > > Take a look at the section in the mod_webkdc manual on setting up multiple > WebKDCs for more details about how to run wa_keyring to maintain the > keyring. > > -- > Russ Allbery <ea...@windlord.stanford.edu> > Technical Lead, ITS Infrastructure Delivery Group, Stanford University >
