Kerberos Server and logs

ubuntu logging kerberos

13,397

Solution 1

/var/log/auth.log. I would never have looked there.

Here's how I found it:

Noticed there was a sendto in the output of strace that started with a date/time, like a log might have.

Isolated it:

# strace krb5kdc -n 2>&1 | grep sendto
sendto(3, "<35>Feb 13 17:43:41 krb5kdc[2400"..., 115, MSG_NOSIGNAL, NULL, 0) = 115

Search for the call to socket, to see where that's going.

# strace krb5kdc -n 2>&1 | grep 'socket\|connect'
socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3
connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0

Figure out where /dev/log goes, but I'm figuring the system logger at this point:

# netstat -xp | grep /dev/log
unix  5      [ ]         DGRAM                    7731     671/rsyslogd        /dev/log

Doesn't really tell me where, but going back to original strace, we can ask strace to not truncate the string:

# strace -s 1000 krb5kdc -n 2>&1 | grep sendto
sendto(3, "<35>Feb 13 17:47:05 krb5kdc[24194]: LDAP bind dn value missing  - while initializing database for realm EXAMPLE.COM", 115, MSG_NOSIGNAL, NULL, 0) = 115

rsyslog is probably logging somewhere in /var/log, and I now have the log message. Just grep for it:
```
# cd /var/log && grep -R * -e 'LDAP bind dn'
«tons of hits in auth.log»
```

Solution 2

Logging for the KDC is usually configured in either /etc/krb5kdc/kdc.conf (sometimes /var/lib/krb5kdc/…) or the global /etc/krb5.conf. (It doesn't really matter which.) Both krb5.conf and kdc.conf have manual pages.

[logging]
    kdc = SYSLOG
    # kdc = STDERR

My first guess is that you haven't created a realm yet, using kdb5_util create.

13,397

Thanatos

Updated on September 18, 2022

Comments

Thanatos almost 2 years

I'm attempt to set up a Kerberos server, and am running into some sort of issue with the configuration message. Unfortunately, the daemon refuses to tell me what went wrong; it tells me to "see log file", but never mentions what log file.

 # service krb5-kdc start
 krb5kdc: cannot initialize realm EXAMPLE.COM - see log file for details
 # ls /var/log/k*
 /var/log/kern.log
 # krb5kdc
 krb5kdc: cannot initialize realm EXAMPLE.COM - see log file for details
 # strace krb5kdc 2>&1 | grep write
 write(2, "krb5kdc: cannot initialize realm"..., 72krb5kdc: cannot initialize realm EXAMPLE.COM - see log file for details
 #

Is it lying to me? Does there even exist a log file?

Thanatos over 10 years

There's nothing in /var/lib/krb5kdc (the directory exists, but is empty), and neither kdc.conf or krb5.conf have a logging section, though I suppose I could add one…
Thanatos over 10 years

A man page for krb5.conf would be useful, but man krb5.conf gets me No manual entry for krb5.conf (Ubuntu precise). The man page for kdc.conf exists, and even references a supposed krb5.conf man page in section 5, but man can't find it.