Hello,

In continue to my e-mail below we detected the attribute DISALLOW_TGT_BASED
for the kadmin/admin principal.


kadmin.local: getprinc kadmin/admin@REALM
Principal: kadmin/admin@REALM
Expiration date: [never]
Last password change: Tue Oct 16 18:01:25 IST 2007
Password expiration date: [none]
Maximum ticket life: 0 day 03:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Nov 21 15:02:00 IST 2007 (admin/admin@REALM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 3, Triple DES cbc mode with HMAC/sha1,
no salt
Key: vno 3, ArcFour with HMAC/md5,
no salt
Key: vno 3, AES-256 CTS mode with 96-bit SHA-1 HMAC,
no salt
Key: vno 3, DES cbc mode with RSA-MD5,
no salt

Attributes:
DISALLOW_TGT_BASED REQUIRES_PRE_AUTH
Policy: [none]


Although that from googling we understand that it shouldn't be a problem we
unset this attribute for the kadmin/admin principal and it seems to
stabilize the system.

Does it make sense ?

Thanks,

Ido Levy


Ido
Levy/Haifa/IBM@IB
MIL To
Sent by: kerberos@mit.edu
kerberos-bounces@ cc
mit.edu
Subject
Kerberos failed to create a
21/11/2007 22:47 principal











Hello,

We are running kerberos server that use LDAP as his DB.
Until today everything works fine but suddenly user creation failed as you
can see in the following example:

kadmin.local: addprinc -randkey user40
NOTICE: no policy specified for user40@REALM
assigning "default". Note that policy may be overridden by
ACL restrictions.
Unable to randomize key for "user40@REALM"
Status 0x29c250c - Principal does not exist.

kadmin.local: getprinc user40
Unable to retrieve principal "user40@REALM"
Status 0x29c250c - Principal does not exist.

The error message we get in kadmin.log file is:

local6:err|error kadmin.local[782428]: LDAP:
/blddir/krb514/src/plugins/ldap/ira_entry.c(193), 32: LDAP_NO_SUCH_OBJECT


If you did encounter similar problem any advice/direction in how to
isolate/find/understand where is the problem would be appreciated.

Thank You !!

Ido Levy

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos