Skip Menu |
 

Subject: Cannot lock database
CC: ajk@iu.edu
Download (untitled) / with headers
text/plain 1.4KiB
We are having recurrent problems with kadmind not being able to lock the
kerberos database. Here is an example:

This is from my kadmin client:
$ /usr/sbin/kadmin
Authenticating as principal natejohn/admin@IU.EDU with password.
Password for natejohn/admin@IU.EDU:
kadmin: delprinc smtp/<fqdn>@IU.EDU
Are you sure you want to delete the principal "smtp/<fqdn>@IU.EDU"?
(yes/no): yes
delete_principal: Unknown code adb 10 while deleting principal
"smtp/<fqdn>@IU.EDU"

This is from the master kdc's logs:
Sep 17 15:11:20 <kdc> kadmind[5951]: Request: kadm5_randkey_principal,
smtp/<fqdn>@IU.EDU, Cannot lock database, client=natejohn/admin@IU.EDU,
service=kadmin/admin@IU.EDU, addr=<ip address>

In the past we have seen the entropy pool dry up on the master kdc, and
have thought that it was the problem, but this morning
/proc/sys/kernel/random/entropy_avail hovered steadily around 8192
during the period we were having problems.

The only solution we've found so far is to reboot the master kdc. We
have a system of redundant kdc's so this doesn't interrupt normal
transactions, but is clearly not an ideal solution.

We are running our kdc's on hardened-gentoo:

# uname -a
Linux <kdc> 2.4.32-hardened-r6 #1 SMP Mon Oct 30 22:02:46 UTC 2006 i686
Intel(R) Xeon(TM) CPU 2.80GHz GenuineIntel GNU/Linux

Please advise, Thanks,
Nate Johnson

--
* Nate Johnson, Lead Security Engineer, GCIH, GCFA
* University Information Security Office, Indiana University
Date: Mon, 03 Mar 2008 15:32:20 -0500
From: Nate Johnson <natejohn@iu.edu>
To: krb5-bugs@mit.edu
Subject: kadmind cannot lock database
Download (untitled) / with headers
text/plain 1.3KiB
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are having recurrent problems with kadmind not being able to lock the
kerberos database. When this happens we cannot create, delete or modify
principals.

Here is an example:

kerberos logs:

Feb 27 13:23:58 <kdc> kadmind[17363]: Request: kadm5_create_principal,
<principal>@IU.EDU, Cannot lock database,
client=host/<host>.indiana.edu@IU.EDU, service=kadmin/admin@IU.EDU,
addr=<ipaddr>

available entropy is stuck at 0:
# watch -n 1 cat /proc/sys/kernel/random/entropy_avail

The only solution we've found so far is to reboot the master kdc. We have
a system of redundant kdc's so this doesn't interrupt normal transactions,
but is clearly not an ideal solution.

We're running our KDC's on hardened gentoo linux:

# uname -a
Linux <kdc> 2.4.32-hardened-r6 #1 SMP Mon Oct 30 22:02:46 UTC 2006 i686
Intel(R) Xeon(TM) CPU 2.80GHz GenuineIntel GNU/Linux

I emailed the kerberos list first, as requested here:
http://web.mit.edu/kerberos/contact.html

Please advise, Thanks,
Nate Johnson

- --
* Nate Johnson, Lead Security Engineer, GCIH, GCFA
* University Information Security Office, Indiana University
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (GNU/Linux)

iEYEARECAAYFAkfMYFQACgkQGQUVGJudcw7tEQCfYzXDteGh9GxOC1H74JI8ifob
hfMAoINBSFYQwMxndyxIwVq3kWt1d1oW
=bpn0
-----END PGP SIGNATURE-----