Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.420 (Entity 5.420) Subject: Cannot lock database CC: ajk@iu.edu X-RT-Original-Encoding: iso-8859-1 Content-Length: 1459 We are having recurrent problems with kadmind not being able to lock the kerberos database. Here is an example: This is from my kadmin client: $ /usr/sbin/kadmin Authenticating as principal natejohn/admin@IU.EDU with password. Password for natejohn/admin@IU.EDU: kadmin: delprinc smtp/@IU.EDU Are you sure you want to delete the principal "smtp/@IU.EDU"? (yes/no): yes delete_principal: Unknown code adb 10 while deleting principal "smtp/@IU.EDU" This is from the master kdc's logs: Sep 17 15:11:20 kadmind[5951]: Request: kadm5_randkey_principal, smtp/@IU.EDU, Cannot lock database, client=natejohn/admin@IU.EDU, service=kadmin/admin@IU.EDU, addr= In the past we have seen the entropy pool dry up on the master kdc, and have thought that it was the problem, but this morning /proc/sys/kernel/random/entropy_avail hovered steadily around 8192 during the period we were having problems. The only solution we've found so far is to reboot the master kdc. We have a system of redundant kdc's so this doesn't interrupt normal transactions, but is clearly not an ideal solution. We are running our kdc's on hardened-gentoo: # uname -a Linux 2.4.32-hardened-r6 #1 SMP Mon Oct 30 22:02:46 UTC 2006 i686 Intel(R) Xeon(TM) CPU 2.80GHz GenuineIntel GNU/Linux Please advise, Thanks, Nate Johnson -- * Nate Johnson, Lead Security Engineer, GCIH, GCFA * University Information Security Office, Indiana University