---------- Forwarded message ---------- From: Erik Haller <erik.hal...@gmail.com> Date: Mon, Feb 9, 2015 at 9:42 PM Subject: Re: Bug#777579: krb5-admin-server: kadmind reports Insufficient access to lock database To: Russ Allbery <r...@debian.org>
Yes. These files reside under /etc/krb5kdc: principal principal.kadm5 principal.kadm5.lock principal.ok kdc.conf .k5.EXAMPLE.COM On Mon, Feb 9, 2015 at 9:39 PM, Russ Allbery <r...@debian.org> wrote: > Erik <erik.hal...@gmail.com> writes: > > > The systemd krb5-admin-server.service file is missing the critical > > directory /etc/krb5kdc used by kadmind in the ReadWriteDirectories > > stanza. The kerberose default database location is created under > > /etc/krb5kdc. > > Er, it certainly shouldn't be. The Kerberos KDC database goes under > /var/lib/krb5kdc. Is there some new bug here? > > > Attempting to use kadmin to add a kerberos principal will receive > > the following error at the kadmin prompt: > > > kadmin: add_principal -randkey host/somehost > > ... > > add_principal: Insufficient access to lock database while creating > > "host/someh...@example.com". > > > Workaround: > > > 1) Add /etc/krb5kdc to the ReadWriteDirectories stanza. > > 2) Restart krb5-admin-server systemd service. > > And that makes that error message go away? Hrm. I wonder what file is > being locked. > > Are you sure that your database is in /etc/krb5kdc? It's a file named > principal. > > -- > Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> >
