On Thu, 2012-02-16 at 00:07 +0100, Sigbjorn Lie wrote:
> On 02/15/2012 11:51 PM, Simo Sorce wrote:
> > On Wed, 2012-02-15 at 22:55 +0100, Sigbjorn Lie wrote:
> >> On 02/15/2012 09:32 PM, Simo Sorce wrote:
> >>> On Wed, 2012-02-15 at 20:49 +0100, Sigbjorn Lie wrote:
> >>>> Hi,
> >>>>
> >>>> I see that the documentation for configuring kerberos on Solaris has
> >>>> changed since the last time I looked.
> >>>>
> >>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
> >>>>
> >>>> kclient fails if I pre-create the account in IPA, and attempt to kclient
> >>>> configure the client. If I don't, it successfully retreives a keytab for
> >>>> the host, but I'm unable to add the host as a host in IPA as the
> >>>> kerberos principal is already used.
> >>>>
> >>>> I suppose there is a LDAP ACL preventing me from doing this?
> >>>>
> >>>> Can I work around this somehow, having the host account in IPA and using
> >>>> kclient to configure Solaris hosts at the same time?
> >>> Sigbjorn,
> >>> running kadmind in FreeIPA<   2.2 is completely unsupported and there are
> >>> ACLs that explicitly prevent it from changing data in LDAP.
> >>>
> >>> I will investigate about those instructions and correct them as
> >>> necessary, they appear incorrect.
> >> Yes, I was a bit surprised when I noticed this in the documentation
> >> given other postings on the list where use of kadmin and kadmin.local is
> >> advised to be not supported.
> >>
> >> Does something change in 2.2 and upwards to support the use of kadmin ?
> > Yes and no.
> >
> > In 2.2 we have our own kdb backend and we decided to retire ipa_kpasswd
> > and use kadmind instead.
> > But I still prevent kadmin from doing a lot of operations, because
> > kadmind has no clue how to properly create an ipa computer object or an
> > ipa user.
> >
> > In time we may teach kadmin how to properly handle some of the
> > principals, but for now I am simply preventing it from messing up the
> > tree by crating bare principals in the wrong place, with the wrong (or
> > missing) data attached to it.
> 
> Would it be possible to allow it to retreive a keytab for already 
> existing accounts?

One of the issues with kadmin is that it has no way to pass
authentication information to the backend. You could manually add ACLs,
but then you'd have to manually synchronize them between servers.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to