Coy Hile wrote:
> I’m rebuilding my existing heimdal realm using FreeIPA, and right now I’m 
> having difficulty creating the service principal afs/realm-name@REALM. When I 
> use ipa service-add, I get output thusly:
> [root@ipa-us-east-2 ~]# ipa service-add afs/
> ipa: ERROR: The host '' does not exist to add a service to.
> [root@ipa-us-east-2 ~]# ipa service-add afs/ --force
> ipa: ERROR: The host '' does not exist to add a service to.
> It’s an arbitrary principal; it really shouldn’t matter…

You need to create the host first.  

> So, being a knowledgable administrator of both MIT and Heimdal KDCs, I 
> decided to break out kadmin.
> kadmin.local:  ank -randkey -e aes256-cts:normal afs/
> WARNING: no policy specified for afs/; defaulting to 
> no policy
> add_principal: Kerberos database constraints violated while creating 
> "afs/”.

Probably same reason. We don't recommend using kadmin.local in general.

> This brings up two questions:
> Firstly, is there some secret sauce I have to use to make ipa do my bidding 
> here?  On a related note is there a way to restrict enctypes?  Since 
> everything that I’m dealing with is either recent Linux, recent Illumos, or 
> (gag!) sufficiently recent Windows, I’d like to restrict everything to AES 
> only and get rid of des3 and arcfour-hmac.

You can manage the default and enabled encryption types in

I'm not sure if the KDC reads these on the fly so you may want to
restart it after modifying the values.

Or you can control what encryption types are used in keytabs using the
-e option to ipa-getkeytab.

A couple of keytabs are issued during install that will have other keys
so you may want/need to fetch new keytabs if you change the defaults.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to