To:
rachitchokshi@gmail.com (rachit chokshi)
Copy:
kerberos@mit.edu (
kerberos@mit.edu)
A message queue is typically a better way to synchronize a cluster.
The bonus is that you can track adds, deletes, and modifies via historian.
Anchors in Relative Time!?
-----Original Message-----
From: Kerberos <
kerberos-bounces@mit.edu> On Behalf Of Ken Hornstein via Kerberos
Sent: Monday, March 4, 2024 10:56 AM
To: rachit chokshi <
rachitchokshi@gmail.com>
Cc:
kerberos@mit.edu
Subject: Re: kdb5_util-1.15.1: Invalid argument while making newly loaded database live
[You don't often get email from
kerberos@mit.edu. Learn why this is important at
https://aka.ms/LearnAboutSenderIdentification ]
We have a setup where the kerberos database (db2) is hosted on an NFS
server. There are multiple KDC servers each mounting the NFS share and >serving traffic.
I have to say up front that it is generally agreed that putting any database file on a NFS filesystem is a bad idea. Also, it kind of sounds like your multiple KDCs are serving the SAME database file? If so, THAT is a huge problem!
kdb5_util: Cannot open DB2 database >'/var/kerberos/krb5kdc_shared/principal~': Invalid >argument while
deleting bad database /var/kerberos/krb5kdc_shared/principal
I am looking at newer Kerberos code, so perhaps this has changed, but that error comes from krb5_db_destroy() failing. For DB2, that ends up calling krb5_db2_destroy(). That function does a lot of things, and it's hard at a glance to figure out which
part of it is failing; I suspect the only way to figure out what is going wrong there is to build a version of Kerberos with full debugging symbols and set a breakpoint on krb5_db2_destroy(). I have a strong suspicion that the database file is getting
corrupted in a such a way that the other routines cannot recover, and that's likely due to the use of NFS (especially if multiple KDCs are using the same database file).
--Ken
________________________________________________
Kerberos mailing list
Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If
you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you
are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)