Sigbjorn Lie wrote:
On 02/15/2012 09:06 PM, Rob Crittenden wrote:
You might try adding soladmin to the Host Administrators role and see
if it works then. If it does you'll probably want to create a new role
with more limited permissions.

I would imagine that a host added this way would not appear as an
IPA-managed host (though adding the host first and using this to just
add the key should be ok).

The version is: freeipa-server-2.1.3-2.fc15.x86_64

The kclient script only accepts a parameter "-a adminuser", which it
translates into "adminuser/admin". How can I add this to a IPA role?

If I attempt to work around that by using kadmin directly instead of the
wrapper kclient script on the Solaris host, and specifying the IPA
default "admin" account, the same message occur:

# kadmin -p admin -q "ktadd -k /etc/krb5/krb5.keytab
Authenticating as principal admin with password.
Password for
kadmin: Insufficient access to perform requested operation while
changing host/'s key

/var/kerberos/krb5kdc/kadm5.acl: *

Feb 15 21:18:41 kadmind[22727](Notice): Request:
kadm5_init,, success,,
service=kadmin/, addr=,
vers=2, flavor=6
Feb 15 21:18:41 kadmind[22727](Notice): Request:
kadm5_randkey_principal, host/, User
modification failed: Insufficient access,,
service=kadmin/, addr=

To be honest, the whole section about kclient, kadmin, etc is new to me as well. I don't know when that was added. We'll investigate that, sorry about the confusion.

These problems are likely related to the fact that kadmin assumes a different DIT than IPA. We don't recommend kadmin be used.

We recommend using ipa-getkeytab on a Linux box and retrieving the keytab that way. Yes, this is less than convenient.

On Solaris 10 you may have a fighting chance of building ipa-getkeytab natively. I seem to recall a bunch of optional packages to add various LDAP and compiler parts you'd need but it is less than ideal. I had absolutely no luck on Solaris 9 without having to compile everything myself.


Freeipa-users mailing list

Reply via email to