Kadmind dies after startup on FC14 x64 arch

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Kadmind dies after startup on FC14 x64 arch

Maple Thorpe
I have been struggling with above prob for past two days.  To solve prob
after its appearance I have used kdb5_util destroy to remove databases,
uninstalled rpms, removed remaining KDC files
under /var/kerberos/krb5kdc/ folder and keytab file in /etc for clean
start.  

After each attempt to effect a clean start, i.e. installing rpms,
kdb5_util create -s, creating adm keytab, then starting krb5kdc and
kadmin services, kadmind dies.

Service kadmin is started as root user but kadmind dies
and /var/log/kadmin.log contains message "Permission denied while
mapping update log ('var/kerberos/krb5kdc/principal.ulog'). kdb5_util
creates principal.ulog and other db files in /var/kerberos/krb5kdc
folder with 600 permission with owner/group root.root.

Using strace against against rawhide kadmind is the only way it remains
alive.  Tail of strace contains:

stat("/var/kerberos/krb5kdc/principal.ulog", {st_mode=S_IFREG|0600,
st_size=4096040, ...}) = 0
open("/var/kerberos/krb5kdc/principal.ulog", O_RDWR) = 15
mmap(NULL, 268435456, PROT_READ|PROT_WRITE, MAP_SHARED, 15, 0) =
0x7f9cd8641000
fcntl(15, F_SETLKW, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0}) = 0
msync(0x7f9cd8641000, 4096, MS_SYNC)    = 0
fcntl(15, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0
fcntl(15, F_SETLKW, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0}) = 0
lseek(15, 0, SEEK_END)                  = 4096040
fcntl(15, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0
rt_sigaction(SIGINT, {0x7f9ceb28c210, [], SA_RESTORER, 0x7f9ce9468eb0},
NULL, 8) = 0
rt_sigaction(SIGTERM, {0x7f9ceb28c210, [], SA_RESTORER, 0x7f9ce9468eb0},
NULL, 8) = 0
rt_sigaction(SIGQUIT, {0x7f9ceb28c210, [], SA_RESTORER, 0x7f9ce9468eb0},
NULL, 8) = 0
rt_sigaction(SIGHUP, {0x7f9ceb28c160, [], SA_RESTORER, 0x7f9ce9468eb0},
NULL, 8) = 0
rt_sigaction(SIGPIPE, {0x7f9ceb28c1d0, [], SA_RESTORER, 0x7f9ce9468eb0},
NULL, 8) = 0
rt_sigaction(SIGCHLD, {SIG_IGN, [], SA_RESTORER, 0x7f9ce9468eb0}, NULL,
8) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3543, ...}) = 0
write(3, "Mar 13 09:22:15 minniemouse.local"..., 73) = 73
sendto(4, "<30>Mar 13 09:22:15 kadmind[5813"..., 43, MSG_NOSIGNAL, NULL,
0) = 43

Nothing here tells me there is a permission error.  Is this a known
problem and where do I look to solve it?

Thanks

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kadmind dies after startup on FC14 x64 arch

Brian Candler
On Sun, Mar 13, 2011 at 12:15:41PM -0500, Maple Thorpe wrote:
> Service kadmin is started as root user but kadmind dies
> and /var/log/kadmin.log contains message "Permission denied while
> mapping update log ('var/kerberos/krb5kdc/principal.ulog').

"Permission denied" while things are running as root suggests it could be a
problem with SELINUX.  You could try turning it off globally to see if that
fixes the problem.

> open("/var/kerberos/krb5kdc/principal.ulog", O_RDWR) = 15

You're right, that looks successful. Are you saying that kadmind behaves
differently if you run it under strace? Or do you still get the permission
denied error logged, possibly this one:

> sendto(4, "<30>Mar 13 09:22:15 kadmind[5813"..., 43, MSG_NOSIGNAL, NULL,
> 0) = 43

(try adding -s 128 to the strace command line to see more of this message)
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kadmind dies after startup on FC14 x64 arch

Simo Sorce
On Mon, 14 Mar 2011 16:22:25 +0000
Brian Candler <[hidden email]> wrote:

> On Sun, Mar 13, 2011 at 12:15:41PM -0500, Maple Thorpe wrote:
> > Service kadmin is started as root user but kadmind dies
> > and /var/log/kadmin.log contains message "Permission denied while
> > mapping update log ('var/kerberos/krb5kdc/principal.ulog').
>
> "Permission denied" while things are running as root suggests it
> could be a problem with SELINUX.  You could try turning it off
> globally to see if that fixes the problem.

It seem like this is a possible explanation.

Check /var/log/audit/audit.log to see if there are any denials when the
kadmind service is started through the "service" tool.

(if manually run by root it will run as unconfined and may not show the
issue).

If audit.log report denials you can open a bug in fedora against the
selinux policy and temporarily swith selinux in permissive mode by
running 'setenforce 0', or you can use the uadit2allow tool to create
temporary local policy.

> > open("/var/kerberos/krb5kdc/principal.ulog", O_RDWR) = 15
>
> You're right, that looks successful. Are you saying that kadmind
> behaves differently if you run it under strace? Or do you still get
> the permission denied error logged, possibly this one:

This would be in line with an selinux denial, as running under starce
would seem to mean it was run interactively by the user root which is
normally unconfined and therefore also the daemon would be run as
unconfined. When run trhough init scripts there is a transition and the
context is set appropriately, thus restrictions take effect.

Simo.

--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos