When setting up Kerberos on Ubuntu 14.04, many administrators encounter the frustrating error during realm initialization:
krb5kdc: No such file or directory - while initializing database for realm myrealm
The key challenge is that the error message doesn't specify which exact file or directory is missing, making troubleshooting difficult.
First, verify these essential Kerberos configuration files:
# /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
# /etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
The error typically occurs because these directories don't exist or have incorrect permissions:
sudo mkdir -p /var/lib/krb5kdc
sudo mkdir -p /etc/krb5kdc
sudo chown -R root:root /var/lib/krb5kdc
sudo chmod 700 /var/lib/krb5kdc
After fixing directory issues, properly initialize the realm:
sudo kdb5_util create -s -r EXAMPLE.COM
sudo krb5_newrealm
sudo service krb5-kdc start
sudo service krb5-admin-server start
Enable detailed logging in /etc/krb5.conf:
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default = FILE:/var/log/krb5lib.log
Create a test principal and verify functionality:
sudo kadmin.local -q "addprinc testuser"
kinit testuser
klist
Ensure necessary ports are open:
sudo ufw allow 88/tcp
sudo ufw allow 88/udp
sudo ufw allow 749/tcp
sudo ufw allow 750/udp
If issues persist, try these additional measures:
# Clean and reinstall packages
sudo apt-get purge krb5-kdc krb5-admin-server
sudo rm -rf /var/lib/krb5kdc /etc/krb5kdc
sudo apt-get install krb5-kdc krb5-admin-server
# Verify package versions
dpkg -l | grep krb5
When attempting to initialize a Kerberos realm on Ubuntu 14.04, you might encounter the cryptic error message:
krb5kdc: No such file or directory - while initializing database for realm myrealm
This typically occurs during the KDC database creation phase, where essential directories or permissions are missing.
Before diving into solutions, verify these fundamentals:
- The
krb5-kdcandkrb5-admin-serverpackages are properly installed - Your hostname resolution works correctly (especially important with .local domains)
- The
/var/lib/krb5kdc/directory exists with proper permissions
Missing Directory Structure
The most likely cause is that the required directories don't exist. Execute:
sudo mkdir -p /var/lib/krb5kdc
sudo chown krb5kdc:krb5kdc /var/lib/krb5kdc
sudo chmod 750 /var/lib/krb5kdc
Configuration File Verification
Your /etc/krb5kdc/kdc.conf should contain:
[kdcdefaults]
kdc_ports = 750,88
[realms]
YOUR_REALM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
}
If automatic setup fails, try creating the database manually:
sudo kdb5_util create -s -r YOUR_REALM
The -s flag creates a stash file, while -r specifies your realm.
To identify exactly which file is missing, run KDC in debug mode:
sudo krb5kdc -n -x
This will output detailed information about the initialization process.
After successful initialization:
- Create admin principals:
sudo kadmin.local -q "addprinc admin/admin" - Start services:
sudo service krb5-kdc start && sudo service krb5-admin-server start - Verify operation:
kinit admin/admin
If issues persist, completely reset the Kerberos installation:
sudo apt-get purge krb5-kdc krb5-admin-server
sudo rm -rf /etc/krb5kdc /var/lib/krb5kdc
sudo apt-get install krb5-kdc krb5-admin-server