Kerberos Server and logs
Solution 1
/var/log/auth.log
. I would never have looked there.
Here's how I found it:
- Noticed there was a
sendto
in the output of strace that started with a date/time, like a log might have. Isolated it:
# strace krb5kdc -n 2>&1 | grep sendto sendto(3, "<35>Feb 13 17:43:41 krb5kdc[2400"..., 115, MSG_NOSIGNAL, NULL, 0) = 115
Search for the call to
socket
, to see where that's going.# strace krb5kdc -n 2>&1 | grep 'socket\|connect' socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0
Figure out where
/dev/log
goes, but I'm figuring the system logger at this point:# netstat -xp | grep /dev/log unix 5 [ ] DGRAM 7731 671/rsyslogd /dev/log
Doesn't really tell me where, but going back to original
strace
, we can askstrace
to not truncate the string:# strace -s 1000 krb5kdc -n 2>&1 | grep sendto sendto(3, "<35>Feb 13 17:47:05 krb5kdc[24194]: LDAP bind dn value missing - while initializing database for realm EXAMPLE.COM", 115, MSG_NOSIGNAL, NULL, 0) = 115
rsyslog
is probably logging somewhere in/var/log
, and I now have the log message. Justgrep
for it:# cd /var/log && grep -R * -e 'LDAP bind dn' «tons of hits in auth.log»
Solution 2
Logging for the KDC is usually configured in either /etc/krb5kdc/kdc.conf
(sometimes /var/lib/krb5kdc/…
) or the global /etc/krb5.conf
. (It doesn't really matter which.) Both krb5.conf
and kdc.conf
have manual pages.
[logging]
kdc = SYSLOG
# kdc = STDERR
My first guess is that you haven't created a realm yet, using kdb5_util create
.
Related videos on Youtube
Thanatos
Updated on September 18, 2022Comments
-
Thanatos almost 2 years
I'm attempt to set up a Kerberos server, and am running into some sort of issue with the configuration message. Unfortunately, the daemon refuses to tell me what went wrong; it tells me to "see log file", but never mentions what log file.
# service krb5-kdc start krb5kdc: cannot initialize realm EXAMPLE.COM - see log file for details # ls /var/log/k* /var/log/kern.log # krb5kdc krb5kdc: cannot initialize realm EXAMPLE.COM - see log file for details # strace krb5kdc 2>&1 | grep write write(2, "krb5kdc: cannot initialize realm"..., 72krb5kdc: cannot initialize realm EXAMPLE.COM - see log file for details #
Is it lying to me? Does there even exist a log file?
-
Thanatos over 10 yearsThere's nothing in
/var/lib/krb5kdc
(the directory exists, but is empty), and neitherkdc.conf
orkrb5.conf
have a logging section, though I suppose I could add one… -
Thanatos over 10 yearsA
man
page forkrb5.conf
would be useful, butman krb5.conf
gets meNo manual entry for krb5.conf
(Ubuntu precise). The man page forkdc.conf
exists, and even references a supposedkrb5.conf
man page in section 5, butman
can't find it.