Ken Raeburn wrote: > On Jun 10, 2006, at 22:27, [EMAIL PROTECTED] wrote: > > kadmin: cpw myusr > > Enter password for principal "myusr": > > Re-enter password for principal "myusr": > > change_password: Unknown code kdb5 21 while changing password for > > "[EMAIL PROTECTED]". > > > Additionally, I have having problem with kpasswd. When I logged into > > 'mara' as 'myusr', here is what I got: > > > > ============================================== > > [EMAIL PROTECTED] ~]$ kinit myusr > > Password for [EMAIL PROTECTED]: > > [EMAIL PROTECTED] ~]$ kpasswd > > Password for [EMAIL PROTECTED]: > > Enter new password: > > Enter it again: > > Server error: Password not changed. > > Insufficient access to lock database while trying to change password. > > (kdb5 error code 21 is insufficient-access) > > Are you sure kadmind is running with the right privileges? It's able > to write to the database, lock the database, etc?
kadmind was started using '/sbin/service kadmind start', the program 'kadmind' belongs to user 'root' on 'mara' Are there any settings to gran kadmind the correct privileges? Besides, selinux is running on 'mara', could this be a potential problem? I used the fefault setting of selinux > > I think it might also be possible to get that error back if some > other process keeps the database locked for an extended period of > time. But nothing should, unless you suspend kadmin.local or some > other process at just the wrong time. Check for old kadmin.local or > kdb5_util processes lying around, and maybe restart the Kerberos- > related daemon processes. > > Worst case, you could run strace on the kadmind process while doing > this, and see what operations are failing, and use lsof to see if any > other processes are accessing the database files. > thanks for the suggestion. I will do it and report later. > > > Interestingly, when I do kpasswd from a remote mache, I don't get the > > 'Insufficient access' error. Instead, I got a different error: > > "kpasswd: Connection timed out changing password" > > That sounds like a firewall problem -- port 464 open? > problem solved, port 464 wasn't open. After opening 464, I got the the 'insuficient access' error instead of the time out. > Ken > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
