On 11/07/2012 3:23 PM, Simo Sorce wrote:
On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote:
Because the integration of Kerberos in IPA, Kerberos tools can be used
only in limited
situations, when creating afs/DOMAIN@REALM with kadmin, I got this
add_principal: Kerberos database constraints violated while creating

Use ipa service-add to add services, never use kadmin.local, it will not
work, we hard-coded failures in the DB driver to prevent users from
doing that as kadmin doesn't know where to put and how to properly fill
up objects.

However you can use kadmin.local on a pre-existing principal to obtain a
new keytab.


keytab with v4 salt was created successfully using kadmin, unfortunately OpenAFS
still spit out th same error message:[root@smb1 ~]# fs setacl /afs 
system:anyuser rl
fs: You don't have the required access rights on '/afs'

When --force was used with ipa servcie-add to created afs/DOMAIN@REALM, IPA
still does not like the fact the is no host entry:
[root@ipa2 tmp]# ipa service-add --force  afs/sri.utoronto.ca
ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service to.


Freeipa-users mailing list

Reply via email to