Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

no valid keys found

YANG ChengFu youngseph at gmail.com
Mon Dec 31 21:33:22 PST 2012


Hello Russ,

thanks for your quick reply, finally I figured what happened, I used the
following cron job to create keyring fils

sudo -u www-data wa_keyring -f /var/lib/webkdc/keyring add 2d
sudo -u www-data  wa_keyring -f /var/lib/webkdc/keyring gc -60d
apache2ctl graceful
for host in bulger.mdc; do
rsync -av -e 'ssh' /var/lib/webkdc/keyring $host:/var/lib/webkdc/keyring
ssh $host apache2ctl graceful
done

but it does not works. So I have to enable WebKdcKeyringAutoUpdate, then
apache create the keyring, then it work

the two ways to create keyring are in the same place, I am not sure what I
should do ?

Any suggestions will be appreciated !



--
Yang
Orange Key: 35745318S1


On Tue, Jan 1, 2013 at 12:08 AM, Russ Allbery
<eagle at windlord.stanford.edu>wrote:

> YANG ChengFu <youngseph at gmail.com> writes:
>
> > my webdkc had been working for about 2 months without any problems,
> > today I got the following error message from webkdc
>
> >  [error] mod_webkdc: create_service_token_from_req:webauth_token_create
> > failed: item not found while searching (no valid keys found) (12)
> > [Tue Jan 01 04:30:21 2013] [notice] mod_webkdc: event=getTokens
> > from=10.136.192.34 server=krb5:webauth at EXAMPLE.ORG user=<unknown>
> > errorCode=7 errorMessage="token create failed"
>
> This means that the keyring on the WebKDC doesn't have any keys that are
> currently valid.
>
> If you run wa_keyring -f <path> list on the path to the keyring on the
> WebKDC (the one used by mod_webkdc), you'll see something like:
>
> Path: keyring
>
> id  Created              Valid after          Fingerprint
>  0  2011-06-22 14:44:46  2011-06-21 14:44:46
>  b6dfdcdcd33a8064fc857db5e5ce843c
>
> Take a look at the "Valid after" field.  You probably don't have any valid
> keys in the keyring that have a "Valid after" date in the past.
>
> Usually this happens because you've disabled automatic key rotation
> (usually because you have multiple WebKDCs) by turning off
> WebKdcKeyringAutoUpdate, but your wa_keyring cron job to rotate the keys
> isn't correct.  Perhaps it's garbage-collecting all the valid keys but not
> adding a new one?
>
> Take a look at the section in the mod_webkdc manual on setting up multiple
> WebKDCs for more details about how to run wa_keyring to maintain the
> keyring.
>
> --
> Russ Allbery <eagle at windlord.stanford.edu>
> Technical Lead, ITS Infrastructure Delivery Group, Stanford University
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/webauth-info/attachments/20130101/e2ac2a51/attachment.html>


More information about the webauth-info mailing list