Subject: | Cannot lock database |
CC: | ajk@iu.edu |
We are having recurrent problems with kadmind not being able to lock the
kerberos database. Here is an example:
This is from my kadmin client:
$ /usr/sbin/kadmin
Authenticating as principal natejohn/admin@IU.EDU with password.
Password for natejohn/admin@IU.EDU:
kadmin: delprinc smtp/<fqdn>@IU.EDU
Are you sure you want to delete the principal "smtp/<fqdn>@IU.EDU"?
(yes/no): yes
delete_principal: Unknown code adb 10 while deleting principal
"smtp/<fqdn>@IU.EDU"
This is from the master kdc's logs:
Sep 17 15:11:20 <kdc> kadmind[5951]: Request: kadm5_randkey_principal,
smtp/<fqdn>@IU.EDU, Cannot lock database, client=natejohn/admin@IU.EDU,
service=kadmin/admin@IU.EDU, addr=<ip address>
In the past we have seen the entropy pool dry up on the master kdc, and
have thought that it was the problem, but this morning
/proc/sys/kernel/random/entropy_avail hovered steadily around 8192
during the period we were having problems.
The only solution we've found so far is to reboot the master kdc. We
have a system of redundant kdc's so this doesn't interrupt normal
transactions, but is clearly not an ideal solution.
We are running our kdc's on hardened-gentoo:
# uname -a
Linux <kdc> 2.4.32-hardened-r6 #1 SMP Mon Oct 30 22:02:46 UTC 2006 i686
Intel(R) Xeon(TM) CPU 2.80GHz GenuineIntel GNU/Linux
Please advise, Thanks,
Nate Johnson
--
* Nate Johnson, Lead Security Engineer, GCIH, GCFA
* University Information Security Office, Indiana University
kerberos database. Here is an example:
This is from my kadmin client:
$ /usr/sbin/kadmin
Authenticating as principal natejohn/admin@IU.EDU with password.
Password for natejohn/admin@IU.EDU:
kadmin: delprinc smtp/<fqdn>@IU.EDU
Are you sure you want to delete the principal "smtp/<fqdn>@IU.EDU"?
(yes/no): yes
delete_principal: Unknown code adb 10 while deleting principal
"smtp/<fqdn>@IU.EDU"
This is from the master kdc's logs:
Sep 17 15:11:20 <kdc> kadmind[5951]: Request: kadm5_randkey_principal,
smtp/<fqdn>@IU.EDU, Cannot lock database, client=natejohn/admin@IU.EDU,
service=kadmin/admin@IU.EDU, addr=<ip address>
In the past we have seen the entropy pool dry up on the master kdc, and
have thought that it was the problem, but this morning
/proc/sys/kernel/random/entropy_avail hovered steadily around 8192
during the period we were having problems.
The only solution we've found so far is to reboot the master kdc. We
have a system of redundant kdc's so this doesn't interrupt normal
transactions, but is clearly not an ideal solution.
We are running our kdc's on hardened-gentoo:
# uname -a
Linux <kdc> 2.4.32-hardened-r6 #1 SMP Mon Oct 30 22:02:46 UTC 2006 i686
Intel(R) Xeon(TM) CPU 2.80GHz GenuineIntel GNU/Linux
Please advise, Thanks,
Nate Johnson
--
* Nate Johnson, Lead Security Engineer, GCIH, GCFA
* University Information Security Office, Indiana University