On 02/15/2012 09:06 PM, Rob Crittenden wrote:
Sigbjorn Lie wrote:
Hi,

I see that the documentation for configuring kerberos on Solaris has
changed since the last time I looked.

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10


kclient fails if I pre-create the account in IPA, and attempt to kclient
configure the client. If I don't, it successfully retreives a keytab for
the host, but I'm unable to add the host as a host in IPA as the
kerberos principal is already used.

I suppose there is a LDAP ACL preventing me from doing this?

Can I work around this somehow, having the host account in IPA and using
kclient to configure Solaris hosts at the same time?




I have edited /var/kerberos/krb5kdc/kadm5.acl :
------------------------------------------------------------------------------------------

*/ad...@ix.test.com *
------------------------------------------------------------------------------------------




------------------------------------------------------------------------------------------

# kclient

Starting client setup

---------------------------------------------------
Do you want to use DNS for kerberos lookups ? [y/n]: n
No action performed.
Enter the Kerberos realm: IX.TEST.COM
Specify the KDC hostname for the above realm: ipa01.ix.test.com
ipa01.ix.test.com

Note, this system and the KDC's time must be within 5 minutes of each
other for Kerberos to function. Both systems should run some form of
time synchronization system like Network Time Protocol (NTP).

Setting up /etc/krb5/krb5.conf.

Enter the krb5 administrative principal to be used: soladmin
Obtaining TGT for soladmin/admin ...
Password for soladmin/ad...@ix.test.com:

Do you have multiple DNS domains spanning the Kerberos realm
IX.NIXTRA.COM ? [y/n]: n
No action performed.

Do you plan on doing Kerberized nfs ? [y/n]: n
No action performed.

host/server2.ix.nixtra.com entry already exists in KDC database.
Authenticating as principal soladmin/ad...@ix.nixtra.com with existing
credentials.
kadmin: Insufficient access to perform requested operation while
changing host/server2.ix.nixtra.com's key

Administration credentials NOT DESTROYED.

kadmin: ktadd of host/server2.ix.test.com failed, exiting.
---------------------------------------------------
Setup FAILED.
------------------------------------------------------------------------------------------



 From /var/log/kadmind.log:
------------------------------------------------------------------------------------------

Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request:
kadm5_init, soladmin/ad...@ix.test.com, success,
client=soladmin/ad...@ix.test.com,
service=kadmin/ipa01.ix.test....@ix.test.com, addr=192.168.1.238,
vers=2, flavor=6
Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request:
kadm5_randkey_principal, host/server2.ix.test....@ix.test.com, User
modification failed: Insufficient access,
client=soladmin/ad...@ix.test.com,
service=kadmin/ipa01.ix.test....@ix.test.com, addr=192.168.1.238

These have been the Solaris directions for quite a long time.

What version of freeIPA does this work against?

You might try adding soladmin to the Host Administrators role and see if it works then. If it does you'll probably want to create a new role with more limited permissions.

I would imagine that a host added this way would not appear as an IPA-managed host (though adding the host first and using this to just add the key should be ok).

rob
The version is: freeipa-server-2.1.3-2.fc15.x86_64

The kclient script only accepts a parameter "-a adminuser", which it translates into "adminuser/admin". How can I add this to a IPA role?

If I attempt to work around that by using kadmin directly instead of the wrapper kclient script on the Solaris host, and specifying the IPA default "admin" account, the same message occur:


# kadmin -p admin -q "ktadd -k /etc/krb5/krb5.keytab host/server2.ix.test....@ix.test.com"
Authenticating as principal admin with password.
Password for ad...@ix.test.com:
kadmin: Insufficient access to perform requested operation while changing host/server2.ix.test....@ix.test.com's key


/var/kerberos/krb5kdc/kadm5.acl:
ad...@ix.test.com                     *


/var/log/kadmind.log:
Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request: kadm5_init, ad...@ix.test.com, success, client=ad...@ix.test.com, service=kadmin/ipa01.ix.test....@ix.test.com, addr=192.168.1.238, vers=2, flavor=6 Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request: kadm5_randkey_principal, host/server2.ix.test....@ix.test.com, User modification failed: Insufficient access, client=ad...@ix.test.com, service=kadmin/ipa01.ix.test....@ix.test.com, addr=192.168.1.238


Rgds,
Siggi



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to