Log filling up with kadmind: no such file or directory while initializing

Question

Level 2

243 points

Log filling up with kadmind: no such file or directory while initializing

My log files are being spammed with

"kadmind; No such file or directory while initializing, aborting"

followed by edu.mit.kadmind exiting and respawning and then 4x:

"krb5kdc: cannot initialize realm My-FQDM.NET - see log file for details"

Not surprisingly, Kerberos logins do not work, for instance from iCal I get:

"Cannot contact any KDC for requested realm"

This is a brand new iMac with a brand new install of OS X Leopard, using "Standard" configuration. I'm a complete network admin newb and acknowledge that; I could really use some help getting Kerberos working, and failing that, getting it to stop respawning and spamming the error logs.

3.06GHz iMac 4GB RAM, 2 GHz MacBook 2GB RAM, Mac OS X (10.5.6)

Posted on Mar 9, 2009 4:11 PM

Reply

Answer 1

Derek Jones3 Author

Level 2

243 points

Mar 9, 2009 4:19 PM in response to Derek Jones3

Followup, if I run kadmind from the command line I get:

Couldn't open log file var/log/krb5kdc/kadmin.log: Permission denied
kadmind: Permission denied while initializing, aborting

Which explains why the krb5kdc log folder in Console is greyed out....related or coincidence?

Reply

Answer 2

Mar 9, 2009 6:35 PM in response to Derek Jones3

Hi,
Based on your reported problems, Kerberos is malfunctioning. At this point your best option is to reinstall the server software following an erase of the harddisk partition you will be installing on.

HTH,
Harry

Reply

Answer 3

Derek Jones3 Author

Level 2

243 points

Mar 9, 2009 9:06 PM in response to harry-pmsi

Thanks, started clean, Kerberos is running without errors, though I still can't connect using Kerberos auth (for example, iCal), and further I can't seem to access anything except the Wiki. iCal's logging 403 forbidden errors. ::smacks head::

Reply

Answer 4

Mar 9, 2009 9:41 PM in response to Derek Jones3

Hi,
Delighted that the reinstall was effective. Try the AFP service requiring Kerberos and see if you can log in and connect. If not report the log error.

Harry

Reply

Answer 5

Derek Jones3 Author

Level 2

243 points

Mar 9, 2009 10:03 PM in response to harry-pmsi

With Kerberos required, I get no logged errors on the client nor the server, just a dialog that says "Sorry, you entered an invalid username or password" - "Please try again".

If I set to "Any Method" of authentication, I gain access just fine. Still get the same errors when trying to connect to iCal, though, no success regardless of authentication type.

Reply

Answer 6

Derek Jones3 Author

Level 2

243 points

Mar 9, 2009 10:07 PM in response to harry-pmsi

Full error, incidentally, for iCal (and this is just opening iCal on the server, not attempting from an external client):

3/10/09 12:05:01 AM iCal[4126] CalDAV CalDAVGetAccountPropertiesOperation failed: status 'HTTP/1.1 401 Unauthorized' request:

<?xml version="1.0" encoding="utf-8"?>
<x0:propfind xmlns:x2="http://calendarserver.org/ns/" xmlns:x1="urn:ietf:params:xml:ns:caldav" xmlns:x0="DAV:">
<x0:prop>
<x1:calendar-home-set/>
<x1:calendar-user-address-set/>
<x1:schedule-inbox-URL/>
<x1:schedule-outbox-URL/>
<x2:dropbox-home-URL/>
<x2:notifications-URL/>
<x0:displayname/>
</x0:prop>
</x0:propfind>

... response:
HTTP/1.1 401 Unauthorized
Date: Tue, 10 Mar 2009 05:05:01 GMT
Content-Length: 141
Content-Type: text/html
Www-Authenticate: negotiate, digest nonce="20479288996101959981014771594", realm="/Search", algorithm="md5"
Server: Twisted/2.5.0 TwistedWeb/[twisted.web2, version 0.2.0]

Reply

Answer 7

Mar 9, 2009 10:14 PM in response to Derek Jones3

Hi Derek,

Based on your AFP experience, it appears you still have problems with Kerberos which may be due to the absence of a reverse domain pointer.

The iCalServer response could be due to
1) the user doesn't have a calendar function enabled in the directory.
2) the permissions on the Calendar/Documents folder are incorrectly assigned. They should be for _calendar on both user and group. None for others.

HTH,
Harry

Reply

Answer 8

Derek Jones3 Author

Level 2

243 points

Mar 9, 2009 10:46 PM in response to harry-pmsi

Hm, I definitely have a reverse PTR. But there's also definitely a problem with Kerberos. In the Directory, I click Edit for a user and get a GSSAPI Error (cannot find ticket for requested realm) followed by a "if you haven't dismissed the Kerberos authentication dialog by clicking 'Cancel', chances are there is a problem with Kerberos." Interestingly, there's never a dialog presented to me.

In case it's relevant, as mentioned, this is a new iMac. It will not boot from the OS X Server Install DVD - I have to start out with the client version of OS X and run the installer from the disc, and then reboot sans install DVD. If I try to boot from the DVD it restarts over and over again. Enterprise support said this is "normal" since the install DVD comes with 10.5.4 - it won't boot from a machine that came with 10.5.6 client.

Is it possible that something that the client version does with Kerberos (standalone machine?) doesn't get corrected in the Server install, preventing it from working? I'm postulizing this theory as I see in my error log shortly after boot:

com.apple.KerberosAutoConfig[3244] Couldn't find KerberosClient config record

Reply

Answer 9

Mar 10, 2009 7:23 AM in response to Derek Jones3

Sorry, I don't have experience with the "new iMac". Perhaps some one else can assist you here.

Harry

Reply