On Fri, 2015-03-27 at 15:33 -0400, Coy Hile wrote: > I’m rebuilding my existing heimdal realm using FreeIPA, and right now > I’m having difficulty creating the service principal > afs/realm-name@REALM. When I use ipa service-add, I get output thusly: > > [root@ipa-us-east-2 ~]# ipa service-add afs/[email protected] > ipa: ERROR: The host 'coyhile.com' does not exist to add a service to. > [root@ipa-us-east-2 ~]# ipa service-add afs/[email protected] --force > ipa: ERROR: The host 'coyhile.com' does not exist to add a service to. > > It’s an arbitrary principal; it really shouldn’t matter…
We should probably add a RFE to decide how to handle/support these cases officially, but see later. > So, being a knowledgable administrator of both MIT and Heimdal KDCs, I > decided to break out kadmin. > > > kadmin.local: ank -randkey -e aes256-cts:normal > afs/[email protected] > WARNING: no policy specified for afs/[email protected]; > defaulting to no policy > add_principal: Kerberos database constraints violated while creating > "afs/[email protected]”. Our DAL plugin, normally, prevents you from adding principals via the kadmin interface because kadmin does not know how to create a properly functional user or service object. It would also create them in the wrong place (under cn=kerberos,<suffix>). > This brings up two questions: > > Firstly, is there some secret sauce I have to use to make ipa do my > bidding here? Glad you asked, there actually is an non orthodox, non supported, secret way :-) But use it only for principals you know are really not user principals or normal service principals. The trick is to use kadmin.local with the switch: -x ipa-setup-override-restrictions > On a related note is there a way to restrict enctypes? Yes, you can do that by setting the appropriate supported and default enctypes in LDAP. They are in cn=YOUR.REALM,cn=kerberos,<suffix> in the attributes krbDefaultEncSaltTypes and krbSupportedEncSaltTypes Unfortunately we do not expose this configuration via the UI. > Since everything that I’m dealing with is either recent Linux, > recent Illumos, or (gag!) sufficiently recent Windows, I’d like to > restrict everything to AES only and get rid of des3 and arcfour-hmac. Good idea, in the IETF Kitten WG we are also starting the process to deprecate RC4 and 3DES and we have a ticket to stop using them by default in FreeIPA too: https://fedorahosted.org/freeipa/ticket/4740 HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
