Hi,

When trying to generate a host and nfs principal + keys  from the Oracle ZFS 
7120/7320 Appliance i get the following error message (note that the 
information pasted are from a simulator but i get exactly the same error from 
our real Appliances).
I can't generate a key on the IPA server and copy it to the Appliance 
unfortunately it does not support that since it has a specialised webinterface 
and CLI.
The Appliance wants to generate the principals and keys itself after i add the 
Kerberos information realm/KDC and admin principal.

NTP is synced and DNS is working with reverse, no firewalls and SELinux 
disabled.

I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers with the 
same results.

Any ideas on what is wrong and if it is possible to get it working?


An unanticipated system error occurred:

failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 
(Operation requires ``add'' privilege)

Exception type: coXmlrpcFault
Native message: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt 
error: 43787522 (Operation requires ``add'' privilege)
Mapped stack trace:

Native file: <undefined> line ?
Native stack trace:
Message: <none>
Wrapped exception: <none>
Stack trace:
<none>

    at https://192.168.0.112:215/lib/crazyolait/index.js:370:21
Additional native members:
    faultCode: 600
    faultString: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt 
error: 43787522 (Operation requires ``add'' privilege)
    coStack: top.akMulticall(argv:<array> "[object Object]", abort:true, 
func:<function> "function (ret, err, idx) {\n\t\t\tif (err && err.faultName !== 
'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { set: widget.aknsn_vs 
});\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}")
nasServiceNFS.prototype.commit(callback:<function> "function (err) {\n\t\tif 
(akHandleFault(err, {\n\t\t    set: view.aksvc_current_set\n\t\t    })) 
{\n\t\t\tif 
(callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t
 */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif 
(callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t
    akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif 
(akHandleFault(err)) {\n\t\t\t\tif 
(callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif 
(callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}")
akSvcView.prototype.commitToServer(enable:false, callback:<function> "function 
(error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif (view.aksvc_done && 
!error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}")
akSvcView.prototype.commit(callback:null)
<anonymous>(<object> "[object Object]", <object> "[object MouseEvent]")
<anonymous>(e:<object> "[object MouseEvent]")
[akEventListenerWrap,click,undefined](e:<object> "[object MouseEvent]")

    faultName: EAK_KADM5

In the kadmind.log on the IPA server i get the following:

Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: kadm5_init, 
admin@HOME, success, client=admin@HOME, service=kadmin/server.home@HOME, 
addr=192.168.0.112, vers=2, flavor=6
Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized request: 
kadm5_create_principal, host/zfs1.home@HOME, client=admin@HOME, 
service=kadmin/server.home@HOME, addr=192.168.0.112

And in the krb5kdc.log:

Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 
24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME for 
krbtgt/HOME@HOME, Client not found in Kerberos database
Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 
24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home@HOME for 
krbtgt/HOME@HOME, Client not found in Kerberos database

If i add the host in IPA i instead get:

Dec 17 23:48:18 server.home krb5kdc[4016](info): ... CONSTRAINED-DELEGATION 
s4u-client=admin@HOME
Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 
24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin@HOME for kadmin/server.home@HOME, 
Additional pre-authentication required
Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 
24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes {rep=18 tkt=18 
ses=18}, admin@HOME for kadmin/server.home@HOME
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to