On Wed, 2012-07-11 at 15:10 -0400, Dan Scott wrote: > Hi, > > On Wed, Jul 11, 2012 at 3:04 PM, Qing Chang <qch...@sri.utoronto.ca> wrote: > > I agree with you that OpenAFS should implement better enctype. I'll raise it > > on their list. In the mean time, this is a block, do you have an estimate > > how > > long it takes to have the addition of v4 get into RHEL 6.3? I am asking > > because > > we are moving from LDAP+Kerberos+Smaba+Kerberized NFSv4 to IPA+OpenAFS > > to our new infrastructure by end of July. > > Is it really a block? I run IPA with OpenAFS. I used the kadmin > utility to extract the keytab (I think - this was quite a while ago). > The ipa-getkeytab utility is nice, but not required. Or am I missing > something? > > > There is another issue, by convention OpenAFS service principal is created > > as > > afs/DOMAIN@REALM. IPA does not support creating a service principal without > > first having a corresponding host principal, eg, afs/FQDN@REALM. Is it > > possible > > to add the flexibility in IPA to create an arbitrary service principal, > > which can be > > done with a standalone Kerberos KDC?
you can use the --force flag to force the creation of an arbitrary service principal. > Again, you don't have to use the IPA tools. You can use the Kerberos > server tools. Using kadmin.local is really not recommended with IPA normally, but maybe it can be used as a temporary workaround in this case. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
