On Tue, May 15, 2012 at 3:24 PM, Simo Sorce <s...@redhat.com> wrote:

> On Tue, 2012-05-15 at 14:21 -0700, Thomas Jackson wrote:
> > So going through the documentation it's clearly laid out not to use
> > kadmin or kadmin.local when using freeipa.  I have been unable to find
> > how to replace this functionality in the documentation.
> >
> > If I could use kadmin.local on my kdc I would like to run the
> > following command....
> >
> > modprinc +requires_hwauth user
> >
> > Am I going to need to extend/modify the krb5 schema to modify
> > principals attributes in this way?
> >
> For this specific change you can use kadmin.local, but the IPA UI will
> not report you anything about it.
> The flags part is still a weak point of the Web UI, if you want you can
> open a RFE ticket to ask for better support for these flags, we need to
> do it at some point we simply haven't yet as we concentrated on more
> important and pressing issue this far.
> Simo.
> --
> Simo Sorce * Red Hat, Inc * New York
The following errors lead me to believe I am missing something as
kadmin.local appears to have access issues when trying to modify a

kadmin.local:  modprinc +requires_hwauth user
modify_principal: User modification failed: Insufficient access while
modifying "user".

For good measure I've modified /var/kerberos/krb5kdc/kadm5.
acl with the correct ACLs for the domain and still encounter the same

-ipa 2.1.3
Freeipa-users mailing list

Reply via email to