On 11/07/2012 5:46 PM, Dmitri Pal wrote:
On 07/11/2012 04:01 PM, Qing Chang wrote:

On 11/07/2012 3:23 PM, Simo Sorce wrote:
On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote:
Because the integration of Kerberos in IPA, Kerberos tools can be used
only in limited
situations, when creating afs/DOMAIN@REALM with kadmin, I got this
error:
add_principal: Kerberos database constraints violated while creating
"afs/DOMAIN@REALM"

Use ipa service-add to add services, never use kadmin.local, it will not
work, we hard-coded failures in the DB driver to prevent users from
doing that as kadmin doesn't know where to put and how to properly fill
up objects.

However you can use kadmin.local on a pre-existing principal to obtain a
new keytab.

Simo.

keytab with v4 salt was created successfully using kadmin,
unfortunately OpenAFS
still spit out th same error message:[root@smb1 ~]# fs setacl /afs
system:anyuser rl
fs: You don't have the required access rights on '/afs'

When --force was used with ipa servcie-add to created
afs/DOMAIN@REALM, IPA
still does not like the fact the is no host entry:
[root@ipa2 tmp]# ipa service-add --force  afs/sri.utoronto.ca
ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service
to.
sorry for my ignorance, ktadd accepted -e des-cbc-crc:v4 but created keytab 
with no salt:
=====
kadmin.local:   ktadd -e des-cbc-crc:v4 -k /tmp/openafs 
afs/openafs.sri.utoronto.ca
Entry for principal afs/openafs.sri.utoronto.ca with kvno 20, encryption type des-cbc-crc added to keytab WRFILE:/tmp/openafs.
kadmin.local:  getprinc afs/openafs.sri.utoronto.ca
Principal: afs/openafs.sri.utoronto...@sri.utoronto.ca
Expiration date: [never]
Last password change: Thu Jul 12 15:08:16 EDT 2012
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 12 15:08:16 EDT 2012 (admin/ad...@sri.utoronto.ca)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 20, des-cbc-crc, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
=====

I also tried ":normal" and ":afs3", no salts added for any types. Is the IPA
code not doing it, or I am missing something?

Thanks,
Qing


Is there any problem of adding host entries into IPA?
ipa host-add will create a host entry. It is not mean that you have to
do something else with it.

Thanks,
Qing



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to