Will Fiveash wrote: > On Fri, Feb 27, 2009 at 10:09:09AM +0100, Mark Phalan wrote: > >> On Thu, 2009-02-26 at 12:00 -0800, Ben Rockwood wrote: >> >>> Truss posted here: >>> >>> http://www.cuddletech.com/rpcsec-truss.txt >>> >> Looks like Shawn figured out your problem. You can see the same issue in >> the truss (just look for krb5_set_error_message()). >> >> There probably should be some logic to re-create the directory structure >> if it isn't there. Kerberos is just too brittle in this respect. I've >> seen this problem over and over again :( >> > > Maybe. The question is what paths should krb be responsible for > recreating? Do other native services do this? A more fundamental > problem is that things are being done by root users (or buggy root > programs) that violate Solaris system integrity. In regards to > /var/krb5/rcache disappearance I'm betting that people are > doing 'rm -rf *' in /var/krb5 to clear out the principal DB and lock > files instead of the recommended 'kdb5_util destroy' which would leave > the rcache dir in place. >
Thats exactly it. Wanting a "clean" config I'd start with 'rm -rf /var/krb5 && rm -rf /etc/krb5'... then config from there. There was an assumption on my part that, like many other Solaris daemons, the /var/krb5/rcache directories would be created at start if not present. The (false) logic thus dictated that if it wasn't created it wasn't required. Given the growing list of reasons that one could fail to start kadmind it seems wise to have a function to preform a "pre-flight check"... if for no other reason to improve error reporting. benr.
