Simo,

Thanks for that .. using that switch the principle is now created on to see it it works as expected ..

rgds

Matt B.

On 11/28/2013 09:10 AM, Simo Sorce wrote:
On Thu, 2013-11-28 at 08:29 +1000, Matt Bryant wrote:
Simo,

Have added the following into bugzilla ..

Bug 1035494 has been added to the database

seems strange but whilst listprincs/getprinc works getpols and the
addprinc (at least in this use case) doesnt...
addprinc not working for normal user principals is expected, we block it
to prevent the creation of incomplete user accounts.

I think getpols is also expected to fail as we use IPA specific
policies.

However it should allow you to create krbtgt/OLD-REALM@IPA-REALM to set
up trusts until we provide an explicit command for it. This is why I
wanted you to open a bug on that.

ie
kadmin.local:  add_principal -pw XXXXXXX krbtgt/OLD-REALM@IPA-REALM
WARNING: no policy specified for krbtgt/OLD-REALM@IPA-REALM;
defaulting to no policy
add_principal: Invalid argument while creating
"krbtgt/OLD-REALM@IPA-REALM".
Now that I think of it, there is an undocumented switch that will allow
you to create an arbitrary principal. This switch should NEVER be used
to create user principals or normal host principals, however it should
allow you to workaround the issue until we can fix the kadmin interface.

Use kadmin.local -x ipa-setup-override-restrictions

But please use it exclusively to create the krbtgt/REALM1@REALM2
principals and nothing else.

Simo.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to