Hi,

I see that the documentation for configuring kerberos on Solaris has changed since the last time I looked.

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10

kclient fails if I pre-create the account in IPA, and attempt to kclient configure the client. If I don't, it successfully retreives a keytab for the host, but I'm unable to add the host as a host in IPA as the kerberos principal is already used.

I suppose there is a LDAP ACL preventing me from doing this?

Can I work around this somehow, having the host account in IPA and using kclient to configure Solaris hosts at the same time?




I have edited /var/kerberos/krb5kdc/kadm5.acl :
------------------------------------------------------------------------------------------
*/ad...@ix.test.com           *
------------------------------------------------------------------------------------------



------------------------------------------------------------------------------------------
# kclient

Starting client setup

---------------------------------------------------
Do you want to use DNS for kerberos lookups ? [y/n]: n
        No action performed.
Enter the Kerberos realm: IX.TEST.COM
Specify the KDC hostname for the above realm: ipa01.ix.test.com
ipa01.ix.test.com

Note, this system and the KDC's time must be within 5 minutes of each other for Kerberos to function. Both systems should run some form of time synchronization system like Network Time Protocol (NTP).

Setting up /etc/krb5/krb5.conf.

Enter the krb5 administrative principal to be used: soladmin
Obtaining TGT for soladmin/admin ...
Password for soladmin/ad...@ix.test.com:

Do you have multiple DNS domains spanning the Kerberos realm IX.NIXTRA.COM ? [y/n]: n
        No action performed.

Do you plan on doing Kerberized nfs ? [y/n]: n
        No action performed.

host/server2.ix.nixtra.com entry already exists in KDC database.
Authenticating as principal soladmin/ad...@ix.nixtra.com with existing credentials. kadmin: Insufficient access to perform requested operation while changing host/server2.ix.nixtra.com's key

Administration credentials NOT DESTROYED.

kadmin: ktadd of host/server2.ix.test.com failed, exiting.
---------------------------------------------------
Setup FAILED.
------------------------------------------------------------------------------------------


From /var/log/kadmind.log:
------------------------------------------------------------------------------------------
Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request: kadm5_init, soladmin/ad...@ix.test.com, success, client=soladmin/ad...@ix.test.com, service=kadmin/ipa01.ix.test....@ix.test.com, addr=192.168.1.238, vers=2, flavor=6 Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request: kadm5_randkey_principal, host/server2.ix.test....@ix.test.com, User modification failed: Insufficient access, client=soladmin/ad...@ix.test.com, service=kadmin/ipa01.ix.test....@ix.test.com, addr=192.168.1.238
------------------------------------------------------------------------------------------

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to