On Tue, 2012-12-18 at 00:15 +0000, Johan Petersson wrote: > Hi, Hi Johan, see inline.
> When trying to generate a host and nfs principal + keys from the > Oracle ZFS 7120/7320 Appliance i get the following error message (note > that the information pasted are from a simulator but i get exactly the > same error from our real Appliances). > I can't generate a key on the IPA server and copy it to the Appliance > unfortunately it does not support that since it has a specialised > webinterface and CLI. > The Appliance wants to generate the principals and keys itself after i > add the Kerberos information realm/KDC and admin principal. > > > NTP is synced and DNS is working with reverse, no firewalls and > SELinux disabled. > > > I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers > with the same results. > > > Any ideas on what is wrong and if it is possible to get it working? > > > > > An unanticipated system error occurred: > > > failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: > 43787522 (Operation requires ``add'' privilege) > we do not allow tools the permissions to perform add operations via the kadmin interface, this is done by explicitly disallowing certin internal DAL operations in out driver, so it is not configurable. This is because that interface is not rich enough to provide all the information we normally associate to principals in LDAP entries. Does the appliance work if you pre-create the principal ? It sounds very odd that these 'appliances' really require you to give them credentials that have very high privileges, so high as to be able to actually add principals into a kerberos database. I would consider that a very serious bug and security issue in the appliance. Note that the kadmin interface can be allowed to change principals, including getting a new keytab. That will require you to manually edit the ACL file that is not normally configured as we do not need to allow modifications via the kadmin interface in normal IPA domains. So if this appliance can deal with just modifying a principal to get a keytab as opposed to try to create one from scratch then you may be able to configure FreeIPA's kadmin to do that. > Exception type: coXmlrpcFault > Native message: failed to create principal 'host/zfs1.home@HOME': > libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > Mapped stack trace: > > > Native file: <undefined> line ? > Native stack trace: > Message: <none> > Wrapped exception: <none> > Stack trace: > <none> > > > at https://192.168.0.112:215/lib/crazyolait/index.js:370:21 > Additional native members: > faultCode: 600 > faultString: failed to create principal 'host/zfs1.home@HOME': > libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > coStack: top.akMulticall(argv:<array> "[object Object]", > abort:true, func:<function> "function (ret, err, idx) {\n\t\t\tif (err > && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, > { set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t > \tcommitprop(callback);\n\t\t}") > nasServiceNFS.prototype.commit(callback:<function> "function (err) {\n > \t\tif (akHandleFault(err, {\n\t\t set: view.aksvc_current_set\n\t > \t })) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t > \tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t > \tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif > (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t > \takService.svc.setCompositeState(view.aksvc_id,\n\t\t > akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif > (akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t > \tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t > \tcallback();\n\t\t\t}\n\t\t});\n\t}") > akSvcView.prototype.commitToServer(enable:false, callback:<function> > "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif > (view.aksvc_done && !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n > \t\t}") > akSvcView.prototype.commit(callback:null) > <anonymous>(<object> "[object Object]", <object> "[object > MouseEvent]") > <anonymous>(e:<object> "[object MouseEvent]") > [akEventListenerWrap,click,undefined](e:<object> "[object > MouseEvent]") > > > faultName: EAK_KADM5 > > > In the kadmind.log on the IPA server i get the following: > > > Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: > kadm5_init, admin@HOME, success, client=admin@HOME, > service=kadmin/server.home@HOME, addr=192.168.0.112, vers=2, flavor=6 > Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized > request: kadm5_create_principal, host/zfs1.home@HOME, > client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112 > > > And in the krb5kdc.log: > > > Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME > for krbtgt/HOME@HOME, Client not found in Kerberos database > Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home@HOME > for krbtgt/HOME@HOME, Client not found in Kerberos database All this is pretty much expected if this appliance tries to create principals via the kadmin add API. > > If i add the host in IPA i instead get: > > > Dec 17 23:48:18 server.home krb5kdc[4016](info): ... > CONSTRAINED-DELEGATION s4u-client=admin@HOME > Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin@HOME for > kadmin/server.home@HOME, Additional pre-authentication required > Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes > {rep=18 tkt=18 ses=18}, admin@HOME for kadmin/server.home@HOME I see no problem in here, so does the appliance cope with pre-existing principals ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
