Sigbjorn Lie wrote:
On 02/15/2012 09:06 PM, Rob Crittenden wrote:
You might try adding soladmin to the Host Administrators role and see
if it works then. If it does you'll probably want to create a new role
with more limited permissions.

I would imagine that a host added this way would not appear as an
IPA-managed host (though adding the host first and using this to just
add the key should be ok).

rob
The version is: freeipa-server-2.1.3-2.fc15.x86_64

The kclient script only accepts a parameter "-a adminuser", which it
translates into "adminuser/admin". How can I add this to a IPA role?

If I attempt to work around that by using kadmin directly instead of the
wrapper kclient script on the Solaris host, and specifying the IPA
default "admin" account, the same message occur:


# kadmin -p admin -q "ktadd -k /etc/krb5/krb5.keytab
host/server2.ix.test....@ix.test.com"
Authenticating as principal admin with password.
Password for ad...@ix.test.com:
kadmin: Insufficient access to perform requested operation while
changing host/server2.ix.test....@ix.test.com's key


/var/kerberos/krb5kdc/kadm5.acl:
ad...@ix.test.com *


/var/log/kadmind.log:
Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request:
kadm5_init, ad...@ix.test.com, success, client=ad...@ix.test.com,
service=kadmin/ipa01.ix.test....@ix.test.com, addr=192.168.1.238,
vers=2, flavor=6
Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request:
kadm5_randkey_principal, host/server2.ix.test....@ix.test.com, User
modification failed: Insufficient access, client=ad...@ix.test.com,
service=kadmin/ipa01.ix.test....@ix.test.com, addr=192.168.1.238

To be honest, the whole section about kclient, kadmin, etc is new to me as well. I don't know when that was added. We'll investigate that, sorry about the confusion.

These problems are likely related to the fact that kadmin assumes a different DIT than IPA. We don't recommend kadmin be used.

We recommend using ipa-getkeytab on a Linux box and retrieving the keytab that way. Yes, this is less than convenient.

On Solaris 10 you may have a fighting chance of building ipa-getkeytab natively. I seem to recall a bunch of optional packages to add various LDAP and compiler parts you'd need but it is less than ideal. I had absolutely no luck on Solaris 9 without having to compile everything myself.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to