[19478] in Kerberos
Re: teething pains
daemon@ATHENA.MIT.EDU (Marcus Watts)
Thu Jun 26 17:29:00 2003
Message-Id: <200306262127.RAA12928@quince.ifs.umich.edu>
To: "N. Leenders" <nadine@ualberta.ca>
In-reply-to: Your message of "Thu, 26 Jun 2003 14:19:33 MDT."
<Pine.OSX.4.44.0306261405370.1439-100000@nadine-computer.local>
Date: Thu, 26 Jun 2003 17:27:03 -0400
From: Marcus Watts <mdw@umich.edu>
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
> Date: Thu, 26 Jun 2003 14:19:33 -0600 (MDT)
> From: "N. Leenders" <nadine@ualberta.ca>
> X-X-Sender: nadine@nadine-computer.local
> To: kerberos@mit.edu
> Message-ID: <Pine.OSX.4.44.0306261405370.1439-100000@nadine-computer.local>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> Subject: teething pains
>
>
> Hi,
> I'm new to this list and to setting up kerberos and am running into some
> problems.
>
> When running kadmin.local, while cleaning up some of the test principals
> I'd set up, I also removed "K/M@NIC.UALBERTA.CA", not realizing that the
> system had put it there. Since then, I haven't been able to run
> kadmin.local:
>
> [root@lyon root]# kadmin.local
> Authenticating as principal root/admin@NIC.UALBERTA.CA with password.
> kadmin.local: Cannot find master key record in database while initializing
> kadmin.local interface
>
> So I tried destroying the database so I could start over:
> [root@lyon root]# kdb5_util destroy
> kdb5_util: No such entry in the database while retrieving master entry
>
> And it didn't work to try creating a new one either:
> [root@lyon root]# kdb5_util create -r NIC.UALBERTA.CA -s
> create: The database '/var/kerberos/krb5kdc/principal' appears to already
> exist
>
> What else can I try?
> Thx, Nadine
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
If you are *really* sure you want to start over, something like
this should work:
# cd /var/kerberos/krb5kdc
# ls -lastn
total 138
80 -rw------- 1 25131 10 40960 Jun 23 16:48 principal
0 -rw------- 1 25131 10 0 Jun 23 16:48 principal.ok
2 drwxr-xr-x 14 0 2 512 Mar 25 03:51 ..
48 -rw------- 1 25131 10 1049088 Mar 25 02:34 principal.kadm5
2 drwxr-xr-x 2 25131 10 512 Mar 10 2001 .
2 -rw------- 1 25131 10 137 Mar 10 2001 kadm5.keytab
2 -rw-r--r-- 1 25131 10 130 Mar 10 2001 kadm5.acl
2 -rw------- 1 25131 10 26 Mar 10 2001 .k5.NIC.UALBERTA.CA
0 -rw------- 1 25131 10 0 Mar 10 2001 principal.kadm5.lock
# rm -i * .*
rm: remove kadm5.acl (yes/no)? n
rm: remove kadm5.keytab (yes/no)? yes
rm: remove principal (yes/no)? yes
rm: remove principal.kadm5 (yes/no)? yes
rm: remove principal.kadm5.lock (yes/no)? yes
rm: remove principal.ok (yes/no)? yes
rm of . is not allowed
rm of .. is not allowed
rm: remove .k5.NIC.UALBERTA.CA (yes/no)? yes
#
ie, get rid of every file *but* your acl file. You might have more
than one acl file (kpropd.acl?), and you might also have a kdc.conf file
-- leave those as well. Perhaps best to make a tar file if you aren't
quite sure, just in case. But most of this stuff is created as part of
your installation process, and has to be in sync with other parts, so
you want to get rid of it to start over. Don't forget to kill any
running k5 daemons first, if you have any left.
Note; if you have a stash file, *in theory*, you could recreate K/M .
Most likely you'd have to write a C program to do this, after learning
a certain amount about the lower level kdb routines in MIT k5.
This is almost certainly not what you want to do in this case,
but if you had a real database which you had somehow neglected
to back up, you might find it was worth the pain.
Tell Bob Beck I said "hi", if you want.
-Marcus Watts
UM ITCS Umich Systems Group
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
