I did some research and apparently this has to do with the operating system not having enough 'entropy' to create 'quality randomness' for cryptography. Here is a definition I found helpful:
In computing, entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data. This randomness is often collected from hardware sources, either pre-existing ones such as mouse movements or specially provided randomness generators.Apparently you can see how much 'entropy' your operating system has available by looking at the number contained in the file "/proc/sys/kernel/random/entropy_avail"
When the creation of the kerberos db was hanging, that file was reporting an entropy value of around 75.
So, I found this handy utility called 'haveged' (HArdware Volatile Entropy Gathering and Expansion), available here: http://www.issihosts.com/haveged/downloads.html
More info: http://www.irisa.fr/caps/projects/hipsor/
Of course I had to install a C++ compiler: "yum install -y gcc-c++.x86_64"
Then, $ tar -xvf haveged-x.x.tar.gz
Change into the haveged directory,
$ ./configure
$ make
$ make install
$ haveged -w 1024 #(this starts the daemon)
$ echo "/usr/local/sbin/haveged -w 1024" >> /etc/rc.local #(this starts the daemon on boot)
Once this was done, my entropy available was showing values between 2000 and 3000. When I then attempted to create the kerberos DB, it finished within a second! No problems!
...
[Edit]
Looks like I also needed to clear out the mess of 'principal' files in /var/kerberos/krb5kdc/ before re running the create.
thanks for sharing. works great!
ReplyDeleteReally helps me out, thanks!
ReplyDeleteThanks a ton man..I was stuck at this..this really helped ..
ReplyDeleteI really works, save me a lot of time, thanks man.
ReplyDeleteYou might also be able to add the -W option...
ReplyDeletekdb5_util create -s -W
that should use /dev/urandom instead of /dev/random.
Neat! Thanks for the input Joshua. Some argue that urandom does not provide any guarantee of randomness and should be considered when used in production systems that are often targeted for attack. It's a rabbit hole discussion which can be found here: http://lwn.net/Articles/261091/
DeleteAwesome tracing dude....it saved my 2 days....You genious ..... cheers
ReplyDeleteI am glad you found this helpful. And thank you for taking the time to post a comment.
DeleteThanks Champ,
ReplyDeleteThis really helped me and saved me lot of time when kdb5_util was hanging on loading random data
Hey no problem! I really enjoyed solving this and also learned a lot about entropy theory in the process.
Deleteapt-get install haveged
ReplyDeleteNice!
DeleteFantastic.. Works like charm ... On a centos7.3 HW with the arch
ReplyDeleteArchitecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 16
On-line CPU(s) list: 0-15
Thread(s) per core: 2
Core(s) per socket: 4
Socket(s): 2
NUMA node(s): 2
Vendor ID: GenuineIntel
CPU family: 6
Model: 79
Model name: Intel(R) Xeon(R) CPU E5-2637 v4 @ 3.50GHz
Stepping: 1
CPU MHz: 1200.000
BogoMIPS: 6999.35
Virtualization: VT-x
L1d cache: 32K
L1i cache: 32K
L2 cache: 256K
L3 cache: 15360K
NUMA node0 CPU(s): 0-3,8-11
NUMA node1 CPU(s): 4-7,12-15
It was instantaneous when I entered "kdb5_util create -r CW.COM -s" .....and the entropy value started at 2387 when haveged was started.
Great stuff and it was more than 3 years ago you wrote this post.
Thanks for such info.... Its worked good......
ReplyDeleteSome added info here
[root@kdc ~]# yum install haveged
[root@kdc ~]# haveged -w 1024
[root@kdc ~]# echo "/usr/local/sbin/haveged -w 1024" >> /etc/rc.local
Re run :)
[root@kdc ~]# kdb5_util create -s -r DOMAIN.COM