On 11/07/2012 5:46 PM, Dmitri Pal wrote:
On 07/11/2012 04:01 PM, Qing Chang wrote:

On 11/07/2012 3:23 PM, Simo Sorce wrote:
On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote:
Because the integration of Kerberos in IPA, Kerberos tools can be used
only in limited
situations, when creating afs/DOMAIN@REALM with kadmin, I got this
add_principal: Kerberos database constraints violated while creating

Use ipa service-add to add services, never use kadmin.local, it will not
work, we hard-coded failures in the DB driver to prevent users from
doing that as kadmin doesn't know where to put and how to properly fill
up objects.

However you can use kadmin.local on a pre-existing principal to obtain a
new keytab.


keytab with v4 salt was created successfully using kadmin,
unfortunately OpenAFS
still spit out th same error message:[root@smb1 ~]# fs setacl /afs
system:anyuser rl
fs: You don't have the required access rights on '/afs'

When --force was used with ipa servcie-add to created
still does not like the fact the is no host entry:
[root@ipa2 tmp]# ipa service-add --force  afs/sri.utoronto.ca
ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service
Is there any problem of adding host entries into IPA?
ipa host-add will create a host entry. It is not mean that you have to
do something else with it.
I have no problem creating host entries in IPA. It looks like IPA does assume a 
service principal
has to have a corresponding host principal, which is reasonable in normal 
Now that I have created keytab with v4 successfully, it may have become an 
issue that I have
to raise on OpenAFS list.

Freeipa-users mailing list


Freeipa-users mailing list

Reply via email to