On Thu, 2012-07-12 at 15:14 -0400, Qing Chang wrote: > > On 11/07/2012 5:46 PM, Dmitri Pal wrote: > > On 07/11/2012 04:01 PM, Qing Chang wrote: > > > > > > On 11/07/2012 3:23 PM, Simo Sorce wrote: > > > > On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: > > > > > Because the integration of Kerberos in IPA, Kerberos tools can be used > > > > > only in limited > > > > > situations, when creating afs/DOMAIN@REALM with kadmin, I got this > > > > > error: > > > > > add_principal: Kerberos database constraints violated while creating > > > > > "afs/DOMAIN@REALM" > > > > > > > > > Use ipa service-add to add services, never use kadmin.local, it will not > > > > work, we hard-coded failures in the DB driver to prevent users from > > > > doing that as kadmin doesn't know where to put and how to properly fill > > > > up objects. > > > > > > > > However you can use kadmin.local on a pre-existing principal to obtain a > > > > new keytab. > > > > > > > > Simo. > > > > > > > keytab with v4 salt was created successfully using kadmin, > > > unfortunately OpenAFS > > > still spit out th same error message:[root@smb1 ~]# fs setacl /afs > > > system:anyuser rl > > > fs: You don't have the required access rights on '/afs' > > > > > > When --force was used with ipa servcie-add to created > > > afs/DOMAIN@REALM, IPA > > > still does not like the fact the is no host entry: > > > [root@ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca > > > ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service > > > to. > sorry for my ignorance, ktadd accepted -e des-cbc-crc:v4 but created > keytab with no salt: > ===== > kadmin.local: ktadd -e des-cbc-crc:v4 -k /tmp/openafs > afs/openafs.sri.utoronto.ca > Entry for principal afs/openafs.sri.utoronto.ca with kvno 20, > encryption type des-cbc-crc added to keytab WRFILE:/tmp/openafs. > kadmin.local: getprinc afs/openafs.sri.utoronto.ca > Principal: afs/openafs.sri.utoronto...@sri.utoronto.ca > Expiration date: [never] > Last password change: Thu Jul 12 15:08:16 EDT 2012 > Password expiration date: [none] > Maximum ticket life: 1 day 00:00:00 > Maximum renewable life: 7 days 00:00:00 > Last modified: Thu Jul 12 15:08:16 EDT 2012 > (admin/ad...@sri.utoronto.ca) > Last successful authentication: [never] > Last failed authentication: [never] > Failed password attempts: 0 > Number of keys: 1 > Key: vno 20, des-cbc-crc, no salt > MKey: vno 1 > Attributes: REQUIRES_PRE_AUTH > Policy: [none] > ===== > > I also tried ":normal" and ":afs3", no salts added for any types. Is > the IPA > code not doing it, or I am missing something?
v4 means 'no salt' afaik. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users