On 09/10/2013 02:54 AM, Mahmoud wrote: > Hello, > > I installed Fedora 19. > Each time I change /usr/sbin/krb5kdc, it will not start again. I get > following error: > krb5kdc: Server error - while fetching master key K/M for realm > EXAMPLE.COM <http://EXAMPLE.COM> > > Via reinstalling IPA, the problem will be fixed but I would like to > fix it without reinstalling IPA. When I reinstalled IPA, all previous > stored data has been deleted. Is there any way to reconfigure > Kerberos without deleting database data? > Could you help me, please?
I am not sure what you are trying to do. It seems that you are trying to have Kerberos with DB and IPA at the same time on the same machine. I am not sure that would work. > > > On Tue, Sep 10, 2013 at 9:49 AM, Mahmoud <[email protected] > <mailto:[email protected]>> wrote: > > Hello, > > Thank you for your response. > When a user get tgt ticket, he can get service tickets without > typing password. I like to have several level of users. As high > level users have more access to resources, I want to grant a > ticket with less validation time. In other word, I want to have > several ticket life time due to user levels. > > Best regards > > > On Tue, Sep 10, 2013 at 5:24 AM, Dmitri Pal <[email protected] > <mailto:[email protected]>> wrote: > > On 09/09/2013 12:49 PM, Mahmoud wrote: >> Hello Mr. Dmitri Pal >> >> Thank you very much for your help. >> >> I tried to change source code to have more option. It was >> difficult for me to understand FreeIPA source code. Hence, I >> decided to change Kerberos source code. I want to add more >> features to Kerberos. For example, I like to have two (or >> several) types of ticket expiration. > > What do you mean by several types of ticket expiration? > Can you please give an example? > > >> >> Thanks >> Best regards >> >> >> On Mon, Sep 9, 2013 at 8:13 PM, Dmitri Pal <[email protected] >> <mailto:[email protected]>> wrote: >> >> On 09/09/2013 10:55 AM, Mahmoud wrote: >>> Hello, >>> >>> Thank you very much for your time and attention. >>> >>> I changed client side code (kinit.c) but it requires to >>> change all clients. Now, I decided to change server side >>> code. >> >> It seems that you should try to contribute code upstream >> if you want to end up with any kind of support of your >> enhancements, otherwise you would have to maintain your >> own version. >> >> >>> I thought it may be better choice. Should I change >>> policy.c file to change ticket policies? >> >> What policies do you want to change and why? You might >> have described your intent on some other thread in some >> other list but not here. >> >> >>> It does not require recompiling krb5kdc? >> >> I suspect it does... >> >> >>> I install FreeIPA on Fedora 18, When I execute klist -V >>> command, hence get following result: >>> Kerberos 5 version 1.10.3 >>> >> Fedora 19 has 1.11 >> >> IMO the best would be to have a details explanation of >> what you are trying to accomplish. >> This way we would be able to help you with the right >> approach. >> But it seems that building custom code might not be best >> option. >> >> Thanks >> Dmitri >> >> >>> Best regards. >>> >>> On Mon, Sep 9, 2013 at 6:00 PM, Simo Sorce >>> <[email protected] <mailto:[email protected]>> wrote: >>> >>> On Mon, 2013-09-09 at 08:07 +0430, Mahmoud wrote: >>> > Hello Simo >>> > >>> > >>> > The previous problem occurred due to installing >>> krb5-1.11.3. I install >>> > krb5-1.10.6 and copy ipadb.so in appropriate >>> directory, hence the >>> > problem has been solved. Is it all right? >>> >>> >>> No it is not, we require 1.11.3 for OTP support in >>> the latest FreeIPA. >>> >>> Seriously, chaingin the KDC is the last thing you >>> want to do to solve >>> your problem. >>> >>> Have you looked into creating custom ticket policies >>> for your users ? >>> >>> Why do you need to change the KDC to do that ? >>> >>> Simo. >>> > >>> > Thank you. >>> > >>> > Best regards. >>> > >>> > >>> > >>> > On Mon, Sep 9, 2013 at 7:47 AM, Luke Howard >>> <[email protected] <mailto:[email protected]>> wrote: >>> > >>> > On 09/09/2013, at 1:08 PM, Mahmoud >>> <[email protected] <mailto:[email protected]>> wrote: >>> > >>> > > I thought FreeIpa uses krb5-1.10.3, but >>> I use klist -V get >>> > following result: >>> > > Kerberos 5 version 1.10.3 >>> > >>> > >>> > Aren't these the same thing? >>> > >>> > -- Luke >>> > >>> > >>> >>> >>> -- >>> Simo Sorce * Red Hat, Inc * New York >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> [email protected] <mailto:[email protected]> >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> <http://www.redhat.com/carveoutcosts/> >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> [email protected] <mailto:[email protected]> >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
