Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP id m25JbjHW003997; Wed, 5 Mar 2008 14:37:45 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m25JbbTR027251; Wed, 5 Mar 2008 14:37:38 -0500 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m23KZZea011189 for ; Mon, 3 Mar 2008 15:35:35 -0500 Received: from mit.edu (W92-130-BARRACUDA-1.MIT.EDU [18.7.21.220]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id m23KZRhF013949 for ; Mon, 3 Mar 2008 15:35:27 -0500 (EST) Received: from hartman.uits.indiana.edu (hartman.uits.indiana.edu [129.79.1.194]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mit.edu (Spam Firewall) with ESMTP id C4B5F73D0C9 for ; Mon, 3 Mar 2008 15:35:00 -0500 (EST) Received: from mail-relay.iu.edu (logchain.uits.indiana.edu [129.79.1.77]) by hartman.uits.indiana.edu (8.14.2/8.13.8/IU Messaging Team) with ESMTP id m23KYxor003941 for ; Mon, 3 Mar 2008 15:34:59 -0500 Received: from [156.56.17.206] (billhaywood.itso.iu.edu [156.56.17.206]) (authenticated bits=0) by mail-relay.iu.edu (8.13.6/8.12.10/IUPO) with ESMTP id m23KYxmx006163 for ; Mon, 3 Mar 2008 15:34:59 -0500 (EST) Message-ID: <47CC6054.7080109@iu.edu> Date: Mon, 03 Mar 2008 15:32:20 -0500 From: Nate Johnson User-Agent: Thunderbird 2.0.0.12 (X11/20080228) MIME-Version: 1.0 To: krb5-bugs@mit.edu Subject: kadmind cannot lock database X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.12 X-Spam-Flag: NO X-Scanned-BY: MIMEDefang 2.42 X-Mailman-Approved-At: Wed, 05 Mar 2008 14:37:35 -0500 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU X-RT-Original-Encoding: iso-8859-1 Content-Length: 1350 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We are having recurrent problems with kadmind not being able to lock the kerberos database. When this happens we cannot create, delete or modify principals. Here is an example: kerberos logs: Feb 27 13:23:58 kadmind[17363]: Request: kadm5_create_principal, @IU.EDU, Cannot lock database, client=host/.indiana.edu@IU.EDU, service=kadmin/admin@IU.EDU, addr= available entropy is stuck at 0: # watch -n 1 cat /proc/sys/kernel/random/entropy_avail The only solution we've found so far is to reboot the master kdc. We have a system of redundant kdc's so this doesn't interrupt normal transactions, but is clearly not an ideal solution. We're running our KDC's on hardened gentoo linux: # uname -a Linux 2.4.32-hardened-r6 #1 SMP Mon Oct 30 22:02:46 UTC 2006 i686 Intel(R) Xeon(TM) CPU 2.80GHz GenuineIntel GNU/Linux I emailed the kerberos list first, as requested here: http://web.mit.edu/kerberos/contact.html Please advise, Thanks, Nate Johnson - -- * Nate Johnson, Lead Security Engineer, GCIH, GCFA * University Information Security Office, Indiana University -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (GNU/Linux) iEYEARECAAYFAkfMYFQACgkQGQUVGJudcw7tEQCfYzXDteGh9GxOC1H74JI8ifob hfMAoINBSFYQwMxndyxIwVq3kWt1d1oW =bpn0 -----END PGP SIGNATURE-----