f



Starting KDC daemon on Redhat9 fails not finding master key

Hi,

I followed the directions in Brian Tung's article on Kerberos for Dummies
to set up a KDC on a Redhat9 Linux system.  Upon trying to start the
daemon, I get a failure, with the log indicating that the master key
can't be located.  Where is the master key stored and what configuration
file/parameter indicates this?  I assume, per the directions, that I
can kick off the KDC daemon before the Kadmin one, as the article seems
to say.

Thanks for any help.

PL

-- 
Keep it brief: http://www2.paypc.com/mailrules/
0
swift1 (36)
7/14/2004 5:26:49 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
574 Views

Similar Articles

[PageSpeed] 43

Reply:

Similar Artilces:

krb5kdc: Cannot find master key record in database
Hi I have a Kerberos server that has been running for months with out any problems. Today when I went to log into my kdc machine I had the following error in my logs: May 09 10:47:52 svgauth1 krb5kdc[2451](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/VC.LS.CBN@LS.CBN' May 09 10:47:52 svgauth1 krb5kdc[2451](info): TGS_REQ (4 etypes {18 17 16 23}) 172.20.133.141: PROCESS_TGS: authtime 0, <unknown client> for <unknown server>, Server not found in Kerberos database I am using the ldap backend and I checked in LDAP and everything looked ok so I attempted to restart my kdc. My kdc failed to restart with: krb5kdc: Cannot find master key record in database - while fetching master keys list for realm VC.LS.CBN I have the K/M@VC.LS.CBN principal in the ldap directory and it looks ok. Any ideas as to where my problem may be? Can this entry be corrupted some how and not load? I am running the following versions: krb5-1.8.3-45.1 krb5-plugin-kdb-ldap-1.8.3-45.1 krb5-client-1.8.3-45.1 krb5-32bit-1.8.3-45.1 pam-krb5-4.4-1 krb5-server-1.8.3-45.1 Thanks for any insight. Tom Parker ...

KDC fails to start
Hi, I run "/etc/init.d/krb5kdc start" to start kdc but it does not function well. No KDC runs and no port is open. The log file says: krb5kdc: No such device - Cannot bind server socket to port 750 address fe80::20b:.... krb5kdc: No such device - Cannot bind server socket to port 750 address fe80::20b:.... Google actually did not help very much. Any idea for the solution? I use Fedora Core 2 with kernel 2.6. Thanks On Sep 6, 2005, at 4:18, securenix wrote: > krb5kdc: No such device - Cannot bind server socket to port 750 > address > fe80::20b:.... > krb5kdc: No such device - Cannot bind server socket to port 750 > address > fe80::20b:.... Odd... those should be eliminated based on the flags in /proc/net/ if_inet6, or perhaps some flags in getifaddrs if your system has it. I haven't run into it on our 2.6.9 kernels under RHEL 4. Also any non-local IPv4 addresses should've been used as well. Were you disconnected from the network at the time you did this? If you have no addresses assigned (excluding loopback and link-local addresses), the KDC won't find any addresses to bind to, and won't start. Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos > Were you disconnected from the network at the time you did this? If > you have no addresses assigned (excluding loopback and link-local > addres...

Forgot Kerberos Master Key
Dear Team, I forgot kerberos master key but i have key stash file. How can I get the clear text password from the stash file. Regards, Bharathikannan R ...

Failed to find Master AuthenticationServer
Over and over and over and over and over. That or "Connection refused." I guess I should be grateful. A while ago it was something about trying to read memory without access rights. Steve Tilson -- "We're not going to kill you. The moral thing is to let you die a natural death. Alone. In a pile of your own filth." - Frylock I am getting the same thing....started the process at 5:00 EST....$55 was a lot to pay for a game that works................... <SteveTilson@rightbehindyou.com> wrote in message news:2004111617502...

failed to create kerberos key: 5
Hi, I have a strange problem with cross-realm authentication. It's a windows 2000 machine authenticating to an MIT KDC, then it accesses a computer in a windows domain. This should be possible theoritically with ksetup, and all the necessary steps described in the step by step kerberos interoperability document. However, this is what happen in my environment: 1. The user is able to login into windows 2000 machine with his credential in MT KDC. The windows 2000 is configured to be a member of workgroup. However, when I examine the setting setup using ksetup, this is what I got: ksetup: default realm = ADIANTO.COM (external) ADIANTO.COM: kdc = kerberos.adianto.com Failed to create Kerberos key: 5 (0x5) I'm not sure whether the last line is fatal. 2. When the user tried to access a computer in a windows domain (should be possible due to the cross realm setup), the following error occured: Event Type: Error Event Source: Kerberos Event Category: None Event ID: 594 Date: 7/29/2004 Time: 7:37:30 PM User: N/A Computer: TEST Description: A Kerberos Error Message was received: on logon session InitializeSecurityContext Client Time: Server Time: Error Code: 11:36:30.0000 7/29/2004 (null) 0x29 Extended Error: KRB_AP_ERR_MODIFIED Client Realm: Client Name: Server Realm: WINDOMAIN.COM Server Name: krbtgt/WINDOMAIN.COM Target Name: HOST/Win2kServer@WINDOMAIN.COM Error Text: File: Line: Error Data is in record data. Win2kServer is the compu...

failed to re-find parent key
I have hacked analyze.c to automatically create a unique index on the oid when a table is created and I am getting the failed to re-find parent key in pg_attribute_relid_attnam_index every 8 attempts to do the following select * from foo into temp a; drop table a; Currently analyze does not create the oid index on the select into. I realize this is beyond the realm of supported code, but can anyone tell me what's going on or a better way to fix it. BTW, the real problem is that select * from foo where oid=? doesn't use an index scan. Dave -- Dave Cramer 519 93...

Another Key or Way to Start a Find
When going from field to field, some people in my office use the tab key, some like to use the return key, and most everyone uses the enter key on the keypad. Is there any way to have Filemaker use a function key ( F1 - F12) or some other method to start a Find? CTRL-F (on Windows, or CMD-F on Mac) is the only available keyboard shortcut for entering Find mode. Jill Miller wrote: > When going from field to field, some people in my office use the tab key, > some like to use the return key, and most everyone uses the enter key on the > keypad. Is there any way to have Fil...

Re: failed to create kerberos key: 5
I think I need to provide more information about my setup: - I used UMICH patch for cross realm auth, I can see from the log file that the cross-realm ticket is issued by MIT Realm - The krbtgt/adianto.com@windomain.com and krbtgt/windomain.com@adianto.com key is des-cbc-crc32 - the TGT in win client: Cached TGT: ServiceName: krbtgt TargetName: krbtgt FullServiceName: lara DomainName: ADIANTO.COM TargetDomainName: ADIANTO.COM AltTargetDomainName: ADIANTO.COM TicketFlags: 0x40c00000 KeyExpirationTime: 1/1/1601 8:00:00 StartTime: 7/29/2004 19:32:15 EndTime: 7/30/2004 19:32:15 RenewUntil: 7/29/2004 19:32:15 TimeSkew: 1/1/1601 8:00:00 - the tickets: Cached Tickets: (2) Server: krbtgt/ADIANTO.COM@ADIANTO.COM KerbTicket Encryption Type: Kerberos DES-CBC-MD5 End Time: 7/30/2004 19:32:15 Renew Time: 7/29/2004 19:32:15 Server: host/test.adianto.com@ADIANTO.COM KerbTicket Encryption Type: Kerberos DES-CBC-MD5 End Time: 7/30/2004 19:32:15 Renew Time: 7/29/2004 19:32:15 regards, lara Lara Adianto <m1r4cle_26@yahoo.com> wrote: Hi, I have a strange problem with cross-realm authentication. It's a windows 2000 machine authenticating to an MIT KDC, then it accesses a computer in a windows domain. This should be possible theoritically with ksetup, and all the necessary steps described in the step by step kerberos interoperability document. However, this is what happen in my environment: 1. The user is able to login into window...

kadmin.local: Cannot find/read stored master key
Hello, I've got problems setting up Krb5 on my Crux Linux host. I did all nessessary things and always get stuck at the point trying to create the keytab file with kadmin.local. The program says: Authenticating as principal root/admin@TESTSERVER.FREEBIS.DE with password. kadmin.local: Cannot find/read stored master key while initializing kadmin.local interface Here is my /etc/krb5.conf: ----------------------------------------------------------------------- [libdefaults] default_realm = TESTSERVER.FREEBIS.DE dns_lookup_realm = false dns_lookup_kdc = false [realms] FREEBIS.DE = { kdc = 62.27.20.125:88 admin_server = 62.27.20.125:750 default_domain = localhost } [domain_realm] .localhost = TESTSERVER.FREEBITS.DE localhost = TESTSERVER.FREEBITS.DE [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [kdc] profile = /var/krb5kdc/kdc.conf ----------------------------------------------------------------------- Here is my /var/krb5kdc/kdc.conf: ----------------------------------------------------------------------- [kdcdefaults] kdc_ports = 750,88 [realms] TESTSERVER.FREEBITS.DE = { master_key_type = des-cbc-crc database_name = /var/krb5kdc/principal admin_keytab = FILE:/var/krb5kdc/kadm5.keytab acl_file...

sbcl bug in ppsition and/or find with :start, :end and :key
Good time of day! I failed to post this to sbcl-help mail list, so posting here > (find :a '((:c) 1) :start 0 :end 1 :key #'car) =>error (attempted to call (car 1)) And even >(defun foo () (declare (notinline find)) (find :a '((:c) 1) :start 0 :end 1 :key 'car)) >(foo) =>error (attempted to call (car 1)) Why does sbcl access second element of list? > (lisp-implementation-type) "SBCL" > (lisp-implementation-version) "1.0.20" debian etch i686 budden escribi�: > Good time of day! > > I failed to post this to sbcl-help mail ...

array names fails to find the pattern if the key contains []
Hi, "array names" is unable to retrieve the appropriate keys, that contains "[]", from the associative array. Please consider the following example. I have tried two cases here. In the first case, I use the keys directly. In the second case, keys have been inserted as a list. However, in both the cases, I am unable to find out the keys for the below mentioned pattern. % set i1 val1 val1 % set i2 {val21/val22[0]} val21/val22[0] % set i3 val3 val3 % array set mylist [list] % set mylist($i1,$i2,$i3) junk_val junk_val % array names mylist "$i1,$i2,...

m master file managed-keys.bind failed
Who is supposed to own /var/named? I understand the reason for the following error: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found managed-keys.bind.jnl: create: permission denied managed-keys-zone ./IN: sync_keyzone:dns_journal_open -> unexpected error Except for the directories where bind needs to write while running, I thought the rest of the tree was owned by root. managed-keys.bind seems to be at the very top of the tree in /var/named. Since that is owned by root, I can understand why named running as bind won't write to it...

Kerberos master/master sync using OpenLDAP N-Way Multi-Master
I haven=B9t seen this idea posted anywhere. The new version of OpenLDAP (I=B9m using 2.4.15) has the ability to run in a multi-master mode. I was able to set up two servers that each ran a Kerberos instance as well as an OpenLDAP instance that had ldap and kerberos failover. I now don=B9t need to worry about doing any sync with Kerberos, as LDAP does it all. I can also run kadmin against either of the kerberos servers. Some tests I did that were pretty successful were: Realm setup: kdc =3D kdc01.security.lab.comcast.net:88 kdc =3D kdc02.security.lab.comcast.net:88 Turn off kdc on kdc01 -> successfully authenticated with kdc02 Turn on kdc but turn off ldap on kdc01 -> successfully authenticated with kdc02 The failover works exactly as a expected. --=20 MAT ...

realm creation - scripting
Hello, I'm new to this mailinglist. I'm writting an automated script to setup kerberos with ldap backend. When I come to the point to setup my kerberos realm I'm prompted to enter kdc master key: --- kdb5_ldap_util -D cn=admin,dc=mydomain,dc=org -w mypassword create -r MYDOMAIN.ORG -s Initializing database for realm 'MYDOMAIN.ORG' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: --- I don't want to be prompted for a password. How can I pass the kdc master password to kdb5_ldap_util within my script? Thank you in advance! ...

Changing master key (Kerberos authentication server+LDAP database)
Is it possible to change the master key of a realm when LDAP is used as the database server? The stash file is not present since LDAP is used. Appreciate any help on this. Thanks, Anubha ...

xpc target
Hi, I just configured xpc target on my computer. "xpxtest" works fine, so does building my own model and connecting to the target. However, when I hit the start button I get the following error: "External Mode Open Protocol Start command failed" I already tryed several Matlab versions, including Matlab 2011a (64bit), which spits out the same error. A colleague of mine already has the same setup (and model) running on his computer without any problems. Currently I am running: Windows 7 Matlab 2010b Sp1 (32bit) (Target host version 4.4) Compiler: Visual Studio 2008 Pro t...

MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issue
Hi, I also experienced the same problem as William G.Zereneh (http://mailman.mit.edu/pipermail/kerberos/2004-May/005341.html). I'm able to change the password using ctrl-alt-del, but when the password is expired and windows asks me to change the password, I encountered "Domain MIT.REALM.COM is not available" error. As I sniff the packet, it noticed that it sent a CLDAP query message with filter: (&(DnsDomain = MIT.REALM.COM)(Host = myhostname)(NtVer=\006) which is returned NULL by my _ldap._tcp.dc._msdcs.REALM.MIT.COM How to resolve this problem ? maybe there's a missing entry in my DNS ? Is it mandatory for the MIT Kerberos KDC (I installed it on RedHat Linux) to have an LDAP service to resolve the CLDAP request ? and can LDAP actually entertains CLDAP request since LDAP is using TCP while CLDAP is using UDP ? Can I resolve the CLDAP request using Windows 2000 server instead ? Any ideas will be very appreciated Regards from newbie, lara ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ____________________________________...

Kerberos master-slave setup : Database propagation, and KDC & KADMIN switching
I am trying to setup Kerberos on Redhat with slaves and database propagation (not incremental). I am going through MIT's documentation for KDC installation and configuration. Currently, I have three doubts/issues: 1. Do we need kpropd running on slave KDC, even if we do not have incremental propagation ? I started xinetd service, and tried propagating database (without starting kpropd, as I have not configured incremental propagation), and it gave me an error: kprop: Connection refused while connecting to server However, when I started kpropd in the same setup without any co...

how to find out key size from public key?
If I have a public key, how can find out the key size, e.g. 1024, 2048, etc? TIA ...

Need help getting started with Cyrus/sasl. saslpasswd2 fails..could not find auxprop plugin
I'm attempting to configure cyrus on Suse10. I cant' seem to get past creating the imap admin logon. At least I think that's what I'm trying to do. In the log (included below) I see: "Could not find auxprop plugin." What does that mean? ==================== Here is my imapd.conf. penguin:/ # less /etc/imapd.conf configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve admins: cyrus allowanonymouslogin: no autocreatequota: 10000 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pw...

[rfc-dist] RFC 5021 on Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges over TCP
A new Request for Comments is now available in online RFC libraries. RFC 5021 Title: Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges over TCP Author: S. Josefsson Status: Standards Track Date: August 2007 Mailbox: simon@josefsson.org Pages: 7 Characters: 13431 Updates: RFC4120 See-Also: I-D Tag: draft-ietf-krb-wg-tcp-expansion-02.txt URL: http://www.rfc-editor.org/rfc/rfc5021.txt This document describes an extensibility mechanism for the Kerberos V5 protocol when used over TCP transports. The mechanism uses the reserved high-bit in the length field. It can be used to negotiate TCP-specific Kerberos extensions. [STANDARDS TRACK] This document is a product of the Kerberos WG Working Group of the IETF. This is now a Proposed Standard Protocol. STANDARDS TRACK: This document specifies an Internet standards track protocol for the Internet community,and requests discussion and suggestions for improvements.Please refer to the current edition of the Internet Official Protocol Standards (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF list and the RFC-DIST list. Requests to be added to or deleted from the IETF distribution list should be sent to IETF...

How do I find the virtual key code for a certain key?
Hi everybody, On the internet, I've found several lists of virtual key codes for use in WM_KEYDOWN and WM_KEYUP, but not all of them. How can I find out the (virtual) key code for a certain key? Is there a complete list? The keys I'm specifically looking for are � and �. Thanks in advance, Ikke Ikke wrote: > On the internet, I've found several lists of virtual key codes for use in > WM_KEYDOWN and WM_KEYUP, but not all of them. > > How can I find out the (virtual) key code for a certain key? Is there a > complete list? You're in a wrong newsgroup, Ikk...

Problem with kerberos working correct due to 2 Domains gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found)
Hi guys, I'm working about 3 days at this problem and I can't fix it and now I have no more ideas: Customers environment: Windowsdomain with DC where all Users are: contoso.local Sless11 for Webapplication is in a domain: contoso.lan (this is not a Windowsdomain - just the server is configured for this And thats the problem. I don't know - how to manage these two domains. URL to access to the Webapplication is: When I now try to access from a Windowsmachine wich is in the Domain contoso.local at URL http://sless11.contoso.lan/webapp there comes a 401 from the apach...

mc finds more than `find` finds?
I'm still searching for a way to know the pid of eg. the instance of `wily` which is has a certain file open. `pgrep wily` lists all the instances of 'wily' I was hoping that, I'd find which wily has opened file *CONTROL* by:- for PID in `pgrep wily`; do find /proc/$PID -exec grep -l "CONTROL" {} \; >> trace; done --- that's supposed to be ONE line --- Using successive refinement: first I used mc to browse /proc/24357 to find a suitable search target. Obviously "wily" would be there. Then I 'confirmed ?': find /proc/24357 -exec grep "wily" {} \; but that failed, although mc could find several "wily" in /proc/24357 OK, we know that /proc is some kind of spooky FS ? So, I copied to /find, [using mc] 2 of the files of /proc/24357 which contain "wily", and of course, they are found by: find /find -exec grep "wily" {} \; == ../status ../environ How can mc look into /proc/24357 and show the contents if the basic `find` can't see it? On 2015-11-28, WhoCares@gmail.com <WhoCares@gmail.com> wrote: > I'm still searching for a way to know the pid of eg. the instance of > `wily` which is has a certain file open. > > `pgrep wily` lists all the instances of 'wily' > > I was hoping that, I'd find which wily has opened file *CONTROL* by:- > for PID in `pgrep wily`; do find /proc/$PID -exec g...

Web resources about - Starting KDC daemon on Redhat9 fails not finding master key - comp.protocols.kerberos

Roberto Hernández (starting pitcher) - Wikipedia, the free encyclopedia
... professional baseball pitcher for the Philadelphia Phillies of Major League Baseball . He was a regular part of the Cleveland Indians ' starting ...

Wikipedia:Starting an article - Wikipedia, the free encyclopedia
This is a page about writing a new article, not the place to actually write it! If you would like to experiment, please use the sandbox or your ...

Facebook Page Admins Will Be Able To See Which Admins Wrote Posts, Comments Starting Feb. 20
... several page administrators , and there is currently no way to tell which admin was responsible for posts on the page. This may change starting ...

KSL 5 TV - Programming Note: Starting this fall, KSL is... - Facebook
Programming Note: Starting this fall, KSL is pleased to welcome Saturday Night Live to its weekly line-up, on Saturday nights at 10:30. More ...

ImplementingScrum - Starting Tough Conversations about Software Development
Scrum Cartoons. Scrum Teams are made up of a ScrumMaster, Product Owner & Team Members. Start those difficult conversations today.

Facebook Employees Selling Stock Starting November 1
Facebook’s plan to let employees sell vested shares at a $4 billion valuation to outside investors is going into effect November 1, Valleywag ...

Starting Blocks (@sblocks) on Twitter
Sign in Sign up To bring you Twitter, we and our partners use cookies on our and other websites. Cookies help personalize Twitter content, tailor ...

Angela Ahrendts: ‘Starting Anew’
Angela Ahrendts, writing on LinkedIn: Also, trust your instincts and emotions. Let them guide you in every situation; they will not fail you. ...

Sam Williams aiming to keep Blake Austin out of Canberra Raiders starting side
For a player who many think will struggle to remain in the NRL this season, Sam Williams is pretty happy.

Starting Solo: Time Rich, Cash Poor
If you're starting your practice and looking for clients, you're likely time rich and cash poor. Now is a good time to develop a web presence. ...

Resources last updated: 3/10/2016 3:01:14 PM