kadmind: Principal kadmin/admin not found

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

kadmind: Principal kadmin/admin not found

Harald Barth-2

I stepped into the trap that kadmind was not able to access the
kadmin/admin principal because I did specify a database location in
the config file for the KDC:

[kdc]
        database = {
                     dbname = lmdb:/var/heimdal/sushi
                   }

So the database was in a "non-standard" location:

# ls /var/heimdal/sushi*
/var/heimdal/sushi.mdb  /var/heimdal/sushi.mdb-lock

Result: kadmind did not find the db to read the principal from it
(which it otherwise seems to do if it does not have a keytab).

This can be fixed by starting kadmind like this:

# /usr/heimdal-7.5.0/libexec/kadmind --keytab=HDBGET:lmdb:/var/heimdal/sushi

The error message one gets otherwise is not very helping, I got on
the kadmin client command line:

         kadmin> get haba/admin
         haba/[hidden email]'s Password:
         kadmin: get haba/admin: Generic error (see e-text)

What e-text where?

And in the kadmind log:

         2019-01-29T11:24:19 krb5_recvauth: start_seq_get is not supported in the HDBGET keytab type

not a word about "missing kadmin/admin service ticket".

That error message led me to
https://github.com/heimdal/heimdal/issues/133 where I did find out
what was missing.

It would be convinient to have a better error message and if the
arguments to kadmind, especially --keytab= and --ports= could be
specified in the config file. Can I do that somehow?

Another question is if this enables logging at maximal verbosity or if
I somehow can get more:

[logging]
        kdc = 0-/FILE:/var/log/kdc-custom.log
        kadmind = 0-/FILE:/var/log/kadmind-custom.log


I don't know if this qualifies as "dumb questions" but I certainly did
not find any clue in the documentation about it.

Thanks,
Harald.