[39361] in Kerberos
Re: kdb5_util-1.15.1: Invalid argument while making newly loaded
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Mon Mar 4 10:57:11 2024
Message-Id: <202403041555.424FtrSu029354@hedwig.cmf.nrl.navy.mil>
To: rachit chokshi <rachitchokshi@gmail.com>
cc: kerberos@mit.edu
In-Reply-To: <CAFYwyBV5j4jNUVvjZFU4t=n+JJa=EQwbznAHgd9+xEevW8+wmQ@mail.gmail.com>
MIME-Version: 1.0
Date: Mon, 04 Mar 2024 10:55:53 -0500
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>We have a setup where the kerberos database (db2) is hosted on an NFS
>server. There are multiple KDC servers each mounting the NFS share and
>serving traffic.
I have to say up front that it is generally agreed that putting any database
file on a NFS filesystem is a bad idea. Also, it kind of sounds like
your multiple KDCs are serving the SAME database file? If so, THAT is
a huge problem!
>>kdb5_util: Cannot open DB2 database
>'/var/kerberos/krb5kdc_shared/principal~': Invalid >argument while deleting
>bad database /var/kerberos/krb5kdc_shared/principal
I am looking at newer Kerberos code, so perhaps this has changed, but
that error comes from krb5_db_destroy() failing. For DB2, that ends
up calling krb5_db2_destroy(). That function does a lot of things,
and it's hard at a glance to figure out which part of it is failing; I
suspect the only way to figure out what is going wrong there is to build
a version of Kerberos with full debugging symbols and set a breakpoint
on krb5_db2_destroy(). I have a strong suspicion that the database file
is getting corrupted in a such a way that the other routines cannot
recover, and that's likely due to the use of NFS (especially if multiple
KDCs are using the same database file).
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
