Cannot start the krb5kdc - Kerberos

This is a discussion on Cannot start the krb5kdc - Kerberos ; I am having a problem starting the KDC with MIT-Kerberos 5. The problem occured after an upgrade of some software on the server. The error message is: feynman krb5kdc # /etc/init.d/mit-krb5kdc start * Starting MIT Kerberos 5 KDC ... krb5kdc: ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Cannot start the krb5kdc

  1. Cannot start the krb5kdc

    I am having a problem starting the KDC with MIT-Kerberos 5. The
    problem occured after an upgrade of some software on the server.

    The error message is:

    feynman krb5kdc # /etc/init.d/mit-krb5kdc start
    * Starting MIT Kerberos 5 KDC ...
    krb5kdc: cannot initialize realm CIDS.CA - see log file for details
    * Error starting MIT Kerberos 5 KDC [ !! ]

    Then, looking at the log:

    krb5kdc: Invalid argument - while setting database name to
    /etc/krb5kdc/principal for realm CIDS.CA


    I am running a Gentoo/Linux distro on this server.

    Any hints?

    --
    -----------------
    Daniel Savard

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Cannot start the krb5kdc

    On 2005-07-28 15:46:11 -0500, daniel.savard@gmail.com (Daniel Savard) said:

    > I am having a problem starting the KDC with MIT-Kerberos 5. The
    > problem occured after an upgrade of some software on the server.
    >
    > The error message is:
    > feynman krb5kdc # /etc/init.d/mit-krb5kdc start
    > * Starting MIT Kerberos 5 KDC ...
    > krb5kdc: cannot initialize realm CIDS.CA - see log file for details
    > * Error starting MIT Kerberos 5 KDC
    > [ !! ]
    >
    > Then, looking at the log:
    >
    > krb5kdc: Invalid argument - while setting database name to
    > /etc/krb5kdc/principal for realm CIDS.CA
    >
    >
    > I am running a Gentoo/Linux distro on this server.
    >
    > Any hints?
    >


    Yes, post more info!

    Logs, kdc configuration, all you can find. What is
    /etc/krb5kdc/principal? Is the principal database there?

    --
    Sensei

    cd /pub
    more beer


  3. Cannot start the krb5kdc

    I think I sent it directly to sensei instead to the list. I apologize.

    Also, I am running mit-kerberos version 1.4.1. I think previous
    version was 1.3.6. I just read I was supposed to backup my database
    before upgrading and the Gentoo procedure didn't take this into
    account. So, I guest the database is not in a proper format for 1.4.1.
    Is there a way to recover this kind of error? Any tool to perform the
    conversion?

    ---------- Forwarded message ----------
    From: Daniel Savard
    Date: 30 juil. 2005 20:04
    Subject: Re: Cannot start the krb5kdc
    To: Sensei


    Here is my krb5.conf:

    [libdefaults]
    ticket_lifetime = 600
    default_realm = CIDS.CA
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

    [realms]
    CIDS.CA = {
    kdc = kerberos.cids.ca:88
    kdc = kerberos-1.cids.ca:88
    admin_server = kerberos.cids.ca:749
    }

    [domain_realm]
    .cids.ca = CIDS.CA
    cids.ca = CIDS.CA

    [kdc]
    profile = /etc/krb5kdc/kdc.conf

    [logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log

    ------------------------------------------------------------------------

    Then my kdc.conf which is in /etc/krb5kdc as in the profile stanza
    above is stating:

    [kdcdefaults]
    kdc_ports = 88,750

    [realms]
    CIDS.CA = {
    database_name = /etc/krb5kdc/principal
    admin_keytab = /etc/krb5kdc/kadm5.keytab
    acl_file = /etc/krb5kdc/kadm5.acl
    key_stash_file = /etc/krb5kdc/.k5.CIDS.CA
    dict_file = /etc/krb5kdc/kadm5.dict
    kadmind_port = 749
    max_life = 10h 0m 0s
    max_renewable_life = 7d 0h 0m 0s
    master_key_type = des3-hmac-sha1
    supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
    }

    --------------------------------------------------------------------------------------

    And as you can see, my database is in /etc/krb5kdc/principal. All the
    files exists, except the dict_file, which is no harm I think. Anyway,
    even if I removed this stanza it doesn't change anything.

    When trying to startup the KDC, I am getting the messages already
    mentionned in my previous post. Not much more details than that.
    Unless you can told me a way to increase debugging level.

    Regards,

    --
    -----------------
    Daniel Savard


    --
    -----------------
    Daniel Savard

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Cannot start the krb5kdc

    On 2005-07-31 19:28:10 +0200, daniel.savard@gmail.com (Daniel Savard) said:

    > I think I sent it directly to sensei instead to the list. I apologize.
    >
    > Also, I am running mit-kerberos version 1.4.1. I think previous
    > version was 1.3.6. I just read I was supposed to backup my database
    > before upgrading and the Gentoo procedure didn't take this into
    > account. So, I guest the database is not in a proper format for 1.4.1.
    > Is there a way to recover this kind of error? Any tool to perform the
    > conversion?



    If I remember right, those databases should be compatible. But, check
    it with kdb5_util from the command line.

    >
    > Here is my krb5.conf:
    >
    > [libdefaults]
    > ticket_lifetime = 600
    > default_realm = CIDS.CA
    > default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
    > default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
    >
    > [realms]
    > CIDS.CA = {
    > kdc = kerberos.cids.ca:88
    > kdc = kerberos-1.cids.ca:88
    > admin_server = kerberos.cids.ca:749
    > }
    >
    > [domain_realm]
    > .cids.ca = CIDS.CA
    > cids.ca = CIDS.CA
    >
    > [kdc]
    > profile = /etc/krb5kdc/kdc.conf


    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

    Why? There's no [kdc] section in krb5.conf --- check it with

    man krb5.conf

    if they've changed the sections in gentoo.


    [kdcdefaults]
    > kdc_ports = 88,750
    >
    > [realms]
    > CIDS.CA = {
    > database_name = /etc/krb5kdc/principal
    > admin_keytab = /etc/krb5kdc/kadm5.keytab
    > acl_file = /etc/krb5kdc/kadm5.acl
    > key_stash_file = /etc/krb5kdc/.k5.CIDS.CA
    > dict_file = /etc/krb5kdc/kadm5.dict
    > kadmind_port = 749
    > max_life = 10h 0m 0s
    > max_renewable_life = 7d 0h 0m 0s
    > master_key_type = des3-hmac-sha1
    > supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
    > }
    >

    Seems ok.


    > And as you can see, my database is in /etc/krb5kdc/principal. All the
    > files exists, except the dict_file, which is no harm I think. Anyway,
    > even if I removed this stanza it doesn't change anything.
    >


    Create it or remove the entry. In the man page, I don't see the default
    behavior if no dictionary exists.


    > When trying to startup the KDC, I am getting the messages already
    > mentionned in my previous post. Not much more details than that.
    > Unless you can told me a way to increase debugging level.
    >


    Check the kdc.conf again and be sure the database works with the tools
    provided by kerberos. Also, be sure all the principals exist in the db,
    like K/M@CIDS.CA and so on.

    --
    Sensei

    cd /pub
    more beer


  5. Re: Cannot start the krb5kdc

    2005/8/4, Sensei :
    > On 2005-07-31 19:28:10 +0200, daniel.savard@gmail.com (Daniel Savard) said:
    >

    (...)
    >
    >
    > If I remember right, those databases should be compatible. But, check
    > it with kdb5_util from the command line.
    >


    # kdb5_util dump
    kdb5_util: Invalid argument while setting active database to
    '/etc/krb5kdc/principal'

    ;-(

    > >
    > > Here is my krb5.conf:
    > >

    (...)
    > >
    > > [kdc]
    > > profile = /etc/krb5kdc/kdc.conf

    >
    > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    >
    > Why? There's no [kdc] section in krb5.conf --- check it with
    >
    > man krb5.conf
    >
    > if they've changed the sections in gentoo.
    >


    Checked, there is no documented kdc section in the man pages. So, I
    removed the stanza, but doesn't fixed anything.

    >

    (...)
    >
    > Create it or remove the entry. In the man page, I don't see the default
    > behavior if no dictionary exists.
    >
    >


    Didn't change anything.

    > > When trying to startup the KDC, I am getting the messages already
    > > mentionned in my previous post. Not much more details than that.
    > > Unless you can told me a way to increase debugging level.
    > >

    >
    > Check the kdc.conf again and be sure the database works with the tools
    > provided by kerberos. Also, be sure all the principals exist in the db,
    > like K/M@CIDS.CA and so on.
    >


    Well, since I don't have access with the tools, a strings principal
    gave me some output where I can see all principals I know seems to be
    there.

    > --
    > Sensei
    >


    Can a crash being responsible for some lock files or something like
    that which prevent proper access to the database?

    Or, is Kerberos using a library to parse arguments that can be bogus
    on my system? How can I check that? Since the message doesn't say
    anything about the arguments used.

    --
    -----------------
    Daniel Savard

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Cannot start the krb5kdc

    On 2005-08-05 05:44:09 +0200, daniel.savard@gmail.com (Daniel Savard) said:

    > 2005/8/4, Sensei :
    >> On 2005-07-31 19:28:10 +0200, daniel.savard@gmail.com (Daniel Savard) said:
    >>

    > (...)
    >>
    >>
    >> If I remember right, those databases should be compatible. But, check
    >> it with kdb5_util from the command line.
    >>

    >
    > # kdb5_util dump
    > kdb5_util: Invalid argument while setting active database to
    > '/etc/krb5kdc/principal'
    >
    > ;-(



    D'oh.


    >>
    >> Check the kdc.conf again and be sure the database works with the tools
    >> provided by kerberos. Also, be sure all the principals exist in the db,
    >> like K/M@CIDS.CA and so on.
    >>

    >
    > Well, since I don't have access with the tools, a strings principal
    > gave me some output where I can see all principals I know seems to be
    > there.
    >
    >> --
    >> Sensei
    >>

    >
    > Can a crash being responsible for some lock files or something like
    > that which prevent proper access to the database?
    >
    > Or, is Kerberos using a library to parse arguments that can be bogus
    > on my system? How can I check that? Since the message doesn't say
    > anything about the arguments used.



    Well, everything is possible. Something that you can do is trying to
    re-emerge mitkrb5 (or whatever portage calls it), setting in make.conf
    a lower optimization. Be aware that -O3 can cause some library
    corruption (java used to fail with -O3 as an example). Check also your
    USE= directive and in the forums, maybe someone in gentoo had your
    problem.

    If everything fails, and even from the original sources (mit website),
    then I'd first try with many other options in kdb5_util (verbose, old
    formats, ...) and maybe backup the database and recreate a new one.
    Pray is the library and not your db to be in bad shape...

    Hope you'll solve it.



    --
    Sensei

    cd /pub
    more beer


  7. Re: Cannot start the krb5kdc

    Hi,

    Daniel Savard wrote:
    > [After upgrade mit-krb5 from 1.3.x to 1.4.x on Gentoo Box can't
    > start kdc.]

    I had the same problem and did not figure out a solution. But
    since I have only two relevant principals in that database I
    create a new database.

    Hm, this is not very helpful. Anyway.
    Good luck,
    heinzel =u}


    --
    -----BEGIN GEEK CODE BLOCK-----
    GCS d- s-:- a- C++(---) UL++++$ P--- L+++ E--- W(--) N++ o? K? w---
    O M- !V PS+++ PE Y+ PGP+ t 5- X- R* tv-- b+ DI-- D---- G e h++ r@ !y
    ------END GEEK CODE BLOCK------

+ Reply to Thread