Cannot start the krb5kdc

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Cannot start the krb5kdc

Daniel Savard
I am having a problem starting the KDC with MIT-Kerberos 5. The
problem occured after an upgrade of some software on the server.

The error message is:

feynman krb5kdc # /etc/init.d/mit-krb5kdc start
 * Starting MIT Kerberos 5 KDC ...
krb5kdc: cannot initialize realm CIDS.CA - see log file for details
 * Error starting MIT Kerberos 5 KDC                                      [ !! ]

Then, looking at the log:

krb5kdc: Invalid argument - while setting database name to
/etc/krb5kdc/principal for realm CIDS.CA


I am running a Gentoo/Linux distro on this server.

Any hints?

--
-----------------
Daniel Savard

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Cannot start the krb5kdc

Sensei
On 2005-07-28 15:46:11 -0500, [hidden email] (Daniel Savard) said:

> I am having a problem starting the KDC with MIT-Kerberos 5. The
> problem occured after an upgrade of some software on the server.
>
> The error message is:
> feynman krb5kdc # /etc/init.d/mit-krb5kdc start
>  * Starting MIT Kerberos 5 KDC ...
> krb5kdc: cannot initialize realm CIDS.CA - see log file for details
>  * Error starting MIT Kerberos 5 KDC                                    
>   [ !! ]
>
> Then, looking at the log:
>
> krb5kdc: Invalid argument - while setting database name to
> /etc/krb5kdc/principal for realm CIDS.CA
>
>
> I am running a Gentoo/Linux distro on this server.
>
> Any hints?
>

Yes, post more info!

Logs, kdc configuration, all you can find. What is
/etc/krb5kdc/principal? Is the principal database there?

--
Sensei <[hidden email]>

cd /pub
more beer

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Cannot start the krb5kdc

Daniel Savard
I think I sent it directly to sensei instead to the list. I apologize.

Also, I am running mit-kerberos version 1.4.1. I think previous
version was 1.3.6. I just read I was supposed to backup my database
before upgrading and the Gentoo procedure didn't take this into
account. So, I guest the database is not in a proper format for 1.4.1.
Is there a way to recover this kind of error? Any tool to perform the
conversion?

---------- Forwarded message ----------
From: Daniel Savard <[hidden email]>
Date: 30 juil. 2005 20:04
Subject: Re: Cannot start the krb5kdc
To: Sensei <[hidden email]>


Here is my krb5.conf:

[libdefaults]
        ticket_lifetime = 600
        default_realm = CIDS.CA
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
        CIDS.CA = {
        kdc = kerberos.cids.ca:88
        kdc = kerberos-1.cids.ca:88
        admin_server = kerberos.cids.ca:749
        }

[domain_realm]
        .cids.ca = CIDS.CA
        cids.ca = CIDS.CA

[kdc]
        profile = /etc/krb5kdc/kdc.conf

[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log

------------------------------------------------------------------------

Then my kdc.conf which is in /etc/krb5kdc as in the profile stanza
above is stating:

[kdcdefaults]
        kdc_ports = 88,750

[realms]
        CIDS.CA = {
        database_name = /etc/krb5kdc/principal
        admin_keytab = /etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/.k5.CIDS.CA
        dict_file = /etc/krb5kdc/kadm5.dict
        kadmind_port = 749
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
        }

--------------------------------------------------------------------------------------

And as you can see, my database is in /etc/krb5kdc/principal. All the
files exists, except the dict_file, which is no harm I think. Anyway,
even if I removed this stanza it doesn't change anything.

When trying to startup the KDC, I am getting the messages already
mentionned in my previous post. Not much more details than that.
Unless you can told me a way to increase debugging level.

Regards,

--
-----------------
Daniel Savard


--
-----------------
Daniel Savard

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Cannot start the krb5kdc

Sensei
On 2005-07-31 19:28:10 +0200, [hidden email] (Daniel Savard) said:

> I think I sent it directly to sensei instead to the list. I apologize.
>
> Also, I am running mit-kerberos version 1.4.1. I think previous
> version was 1.3.6. I just read I was supposed to backup my database
> before upgrading and the Gentoo procedure didn't take this into
> account. So, I guest the database is not in a proper format for 1.4.1.
> Is there a way to recover this kind of error? Any tool to perform the
> conversion?


If I remember right, those databases should be compatible. But, check
it with kdb5_util from the command line.

>
> Here is my krb5.conf:
>
> [libdefaults]
>         ticket_lifetime = 600
>         default_realm = CIDS.CA
>         default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
>         default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
>
> [realms]
>         CIDS.CA = {
>         kdc = kerberos.cids.ca:88
>         kdc = kerberos-1.cids.ca:88
>         admin_server = kerberos.cids.ca:749
>         }
>
> [domain_realm]
>         .cids.ca = CIDS.CA
>         cids.ca = CIDS.CA
>
> [kdc]
>         profile = /etc/krb5kdc/kdc.conf

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Why? There's no [kdc] section in krb5.conf --- check it with

man krb5.conf

if they've changed the sections in gentoo.


[kdcdefaults]

>         kdc_ports = 88,750
>
> [realms]
>         CIDS.CA = {
>         database_name = /etc/krb5kdc/principal
>         admin_keytab = /etc/krb5kdc/kadm5.keytab
>         acl_file = /etc/krb5kdc/kadm5.acl
>         key_stash_file = /etc/krb5kdc/.k5.CIDS.CA
>         dict_file = /etc/krb5kdc/kadm5.dict
>         kadmind_port = 749
>         max_life = 10h 0m 0s
>         max_renewable_life = 7d 0h 0m 0s
>         master_key_type = des3-hmac-sha1
>         supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
>         }
>
Seems ok.


> And as you can see, my database is in /etc/krb5kdc/principal. All the
> files exists, except the dict_file, which is no harm I think. Anyway,
> even if I removed this stanza it doesn't change anything.
>

Create it or remove the entry. In the man page, I don't see the default
behavior if no dictionary exists.


> When trying to startup the KDC, I am getting the messages already
> mentionned in my previous post. Not much more details than that.
> Unless you can told me a way to increase debugging level.
>

Check the kdc.conf again and be sure the database works with the tools
provided by kerberos. Also, be sure all the principals exist in the db,
like K/[hidden email] and so on.

--
Sensei <[hidden email]>

cd /pub
more beer

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Cannot start the krb5kdc

Daniel Savard
2005/8/4, Sensei <[hidden email]>:
> On 2005-07-31 19:28:10 +0200, [hidden email] (Daniel Savard) said:
>
(...)
>
>
> If I remember right, those databases should be compatible. But, check
> it with kdb5_util from the command line.
>

# kdb5_util dump
kdb5_util: Invalid argument while setting active database to
'/etc/krb5kdc/principal'

;-(

> >
> > Here is my krb5.conf:
> >
(...)

> >
> > [kdc]
> >         profile = /etc/krb5kdc/kdc.conf
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Why? There's no [kdc] section in krb5.conf --- check it with
>
> man krb5.conf
>
> if they've changed the sections in gentoo.
>

Checked, there is no documented kdc section in the man pages. So, I
removed the stanza, but doesn't fixed anything.

>
(...)
>
> Create it or remove the entry. In the man page, I don't see the default
> behavior if no dictionary exists.
>
>

Didn't change anything.

> > When trying to startup the KDC, I am getting the messages already
> > mentionned in my previous post. Not much more details than that.
> > Unless you can told me a way to increase debugging level.
> >
>
> Check the kdc.conf again and be sure the database works with the tools
> provided by kerberos. Also, be sure all the principals exist in the db,
> like K/[hidden email] and so on.
>

Well, since I don't have access with the tools, a strings principal
gave me some output where I can see all principals I know seems to be
there.

> --
> Sensei <[hidden email]>
>

Can a crash being responsible for some lock files or something like
that which prevent proper access to the database?

Or, is Kerberos using a library to parse arguments that can be bogus
on my system? How can I check that? Since the message doesn't say
anything about the arguments used.

--
-----------------
Daniel Savard

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Cannot start the krb5kdc

Sensei
On 2005-08-05 05:44:09 +0200, [hidden email] (Daniel Savard) said:

> 2005/8/4, Sensei <[hidden email]>:
>> On 2005-07-31 19:28:10 +0200, [hidden email] (Daniel Savard) said:
>>
> (...)
>>
>>
>> If I remember right, those databases should be compatible. But, check
>> it with kdb5_util from the command line.
>>
>
> # kdb5_util dump
> kdb5_util: Invalid argument while setting active database to
> '/etc/krb5kdc/principal'
>
> ;-(


D'oh.


>>
>> Check the kdc.conf again and be sure the database works with the tools
>> provided by kerberos. Also, be sure all the principals exist in the db,
>> like K/[hidden email] and so on.
>>
>
> Well, since I don't have access with the tools, a strings principal
> gave me some output where I can see all principals I know seems to be
> there.
>
>> --
>> Sensei <[hidden email]>
>>
>
> Can a crash being responsible for some lock files or something like
> that which prevent proper access to the database?
>
> Or, is Kerberos using a library to parse arguments that can be bogus
> on my system? How can I check that? Since the message doesn't say
> anything about the arguments used.


Well, everything is possible. Something that you can do is trying to
re-emerge mitkrb5 (or whatever portage calls it), setting in make.conf
a lower optimization. Be aware that -O3 can cause some library
corruption (java used to fail with -O3 as an example). Check also your
USE= directive and in the forums, maybe someone in gentoo had your
problem.

If everything fails, and even from the original sources (mit website),
then I'd first try with many other options in kdb5_util (verbose, old
formats, ...) and maybe backup the database and recreate a new one.
Pray is the library and not your db to be in bad shape...

Hope you'll solve it.



--
Sensei <[hidden email]>

cd /pub
more beer

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Cannot start the krb5kdc

Jens Kleineheismann
In reply to this post by Daniel Savard
Hi,

Daniel Savard <[hidden email]> wrote:
> [After upgrade mit-krb5 from 1.3.x to 1.4.x on Gentoo Box can't
> start kdc.]
I had the same problem and did not figure out a solution. But
since I have only two relevant principals in that database I
create a new database.

Hm, this is not very helpful. Anyway.
Good luck,
        heinzel =u}


--
-----BEGIN GEEK CODE BLOCK-----
GCS d- s-:- a- C++(---) UL++++$ P--- L+++ E--- W(--) N++ o? K? w---
O M- !V PS+++ PE Y+ PGP+ t 5- X- R* tv-- b+ DI-- D---- G e h++ r@ !y
------END GEEK CODE BLOCK------
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos