In continue to my e-mail below we detected the attribute DISALLOW_TGT_BASED
for the kadmin/admin principal.

kadmin.local: getprinc kadmin/admin@REALM
Principal: kadmin/admin@REALM
Expiration date: [never]
Last password change: Tue Oct 16 18:01:25 IST 2007
Password expiration date: [none]
Maximum ticket life: 0 day 03:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Nov 21 15:02:00 IST 2007 (admin/admin@REALM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 3, Triple DES cbc mode with HMAC/sha1,
no salt
Key: vno 3, ArcFour with HMAC/md5,
no salt
Key: vno 3, AES-256 CTS mode with 96-bit SHA-1 HMAC,
no salt
Key: vno 3, DES cbc mode with RSA-MD5,
no salt

Policy: [none]

Although that from googling we understand that it shouldn't be a problem we
unset this attribute for the kadmin/admin principal and it seems to
stabilize the system.

Does it make sense ?


Ido Levy

Sent by: kerberos@mit.edu
kerberos-bounces@ cc
Kerberos failed to create a
21/11/2007 22:47 principal


We are running kerberos server that use LDAP as his DB.
Until today everything works fine but suddenly user creation failed as you
can see in the following example:

kadmin.local: addprinc -randkey user40
NOTICE: no policy specified for user40@REALM
assigning "default". Note that policy may be overridden by
ACL restrictions.
Unable to randomize key for "user40@REALM"
Status 0x29c250c - Principal does not exist.

kadmin.local: getprinc user40
Unable to retrieve principal "user40@REALM"
Status 0x29c250c - Principal does not exist.

The error message we get in kadmin.log file is:

local6:err|error kadmin.local[782428]: LDAP:
/blddir/krb514/src/plugins/ldap/ira_entry.c(193), 32: LDAP_NO_SUCH_OBJECT

If you did encounter similar problem any advice/direction in how to
isolate/find/understand where is the problem would be appreciated.

Thank You !!

Ido Levy

Kerberos mailing list Kerberos@mit.edu