Hi,
When trying to generate a host and nfs principal + keys from the Oracle ZFS
7120/7320 Appliance i get the following error message (note that the
information pasted are from a simulator but i get exactly the same error from
our real Appliances).
I can't generate a key on the IPA server and copy it to the Appliance
unfortunately it does not support that since it has a specialised webinterface
and CLI.
The Appliance wants to generate the principals and keys itself after i add the
Kerberos information realm/KDC and admin principal.
NTP is synced and DNS is working with reverse, no firewalls and SELinux
disabled.
I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers with the
same results.
Any ideas on what is wrong and if it is possible to get it working?
An unanticipated system error occurred:
failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522
(Operation requires ``add'' privilege)
Exception type: coXmlrpcFault
Native message: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt
error: 43787522 (Operation requires ``add'' privilege)
Mapped stack trace:
Native file: <undefined> line ?
Native stack trace:
Message: <none>
Wrapped exception: <none>
Stack trace:
<none>
at https://192.168.0.112:215/lib/crazyolait/index.js:370:21
Additional native members:
faultCode: 600
faultString: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt
error: 43787522 (Operation requires ``add'' privilege)
coStack: top.akMulticall(argv:<array> "[object Object]", abort:true,
func:<function> "function (ret, err, idx) {\n\t\t\tif (err && err.faultName !==
'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { set: widget.aknsn_vs
});\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}")
nasServiceNFS.prototype.commit(callback:<function> "function (err) {\n\t\tif
(akHandleFault(err, {\n\t\t set: view.aksvc_current_set\n\t\t }))
{\n\t\t\tif
(callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t
*/\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif
(callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t
akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif
(akHandleFault(err)) {\n\t\t\t\tif
(callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif
(callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}")
akSvcView.prototype.commitToServer(enable:false, callback:<function> "function
(error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif (view.aksvc_done &&
!error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}")
akSvcView.prototype.commit(callback:null)
<anonymous>(<object> "[object Object]", <object> "[object MouseEvent]")
<anonymous>(e:<object> "[object MouseEvent]")
[akEventListenerWrap,click,undefined](e:<object> "[object MouseEvent]")
faultName: EAK_KADM5
In the kadmind.log on the IPA server i get the following:
Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: kadm5_init,
admin@HOME, success, client=admin@HOME, service=kadmin/server.home@HOME,
addr=192.168.0.112, vers=2, flavor=6
Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized request:
kadm5_create_principal, host/zfs1.home@HOME, client=admin@HOME,
service=kadmin/server.home@HOME, addr=192.168.0.112
And in the krb5kdc.log:
Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23
24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME for
krbtgt/HOME@HOME, Client not found in Kerberos database
Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23
24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home@HOME for
krbtgt/HOME@HOME, Client not found in Kerberos database
If i add the host in IPA i instead get:
Dec 17 23:48:18 server.home krb5kdc[4016](info): ... CONSTRAINED-DELEGATION
s4u-client=admin@HOME
Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23
24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin@HOME for kadmin/server.home@HOME,
Additional pre-authentication required
Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23
24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes {rep=18 tkt=18
ses=18}, admin@HOME for kadmin/server.home@HOME
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
