On 02/15/2012 09:34 PM, Rob Crittenden wrote:
Sigbjorn Lie wrote:
On 02/15/2012 09:06 PM, Rob Crittenden wrote:
You might try adding soladmin to the Host Administrators role and see
if it works then. If it does you'll probably want to create a new role
with more limited permissions.

I would imagine that a host added this way would not appear as an
IPA-managed host (though adding the host first and using this to just
add the key should be ok).

The version is: freeipa-server-2.1.3-2.fc15.x86_64

The kclient script only accepts a parameter "-a adminuser", which it
translates into "adminuser/admin". How can I add this to a IPA role?

If I attempt to work around that by using kadmin directly instead of the
wrapper kclient script on the Solaris host, and specifying the IPA
default "admin" account, the same message occur:

# kadmin -p admin -q "ktadd -k /etc/krb5/krb5.keytab
Authenticating as principal admin with password.
Password for ad...@ix.test.com:
kadmin: Insufficient access to perform requested operation while
changing host/server2.ix.test....@ix.test.com's key

ad...@ix.test.com *

Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request:
kadm5_init, ad...@ix.test.com, success, client=ad...@ix.test.com,
service=kadmin/ipa01.ix.test....@ix.test.com, addr=,
vers=2, flavor=6
Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request:
kadm5_randkey_principal, host/server2.ix.test....@ix.test.com, User
modification failed: Insufficient access, client=ad...@ix.test.com,
service=kadmin/ipa01.ix.test....@ix.test.com, addr=

To be honest, the whole section about kclient, kadmin, etc is new to me as well. I don't know when that was added. We'll investigate that, sorry about the confusion.

Ok, so it's not just me that was new for. :)

These problems are likely related to the fact that kadmin assumes a different DIT than IPA. We don't recommend kadmin be used.

Yes, I was a bit surprised when I noticed this in the documentation given other postings on the list where use of kadmin and kadmin.local is advised to be not supported.

We recommend using ipa-getkeytab on a Linux box and retrieving the keytab that way. Yes, this is less than convenient.

This was my original plan, retreiving all the keytabs for Solaris hosts on one of the IPA servers, and then distribute them to the Solaris hosts using CFengine.

On Solaris 10 you may have a fighting chance of building ipa-getkeytab natively. I seem to recall a bunch of optional packages to add various LDAP and compiler parts you'd need but it is less than ideal. I had absolutely no luck on Solaris 9 without having to compile everything myself.

I remember I did give that a go a while back. Gave up pretty quickly though. I think I will stick with my original plan of distributing keytabs for Solaris using CFengine. :)



Freeipa-users mailing list

Reply via email to