On Fri, 2015-03-27 at 15:33 -0400, Coy Hile wrote:
> I’m rebuilding my existing heimdal realm using FreeIPA, and right now
> I’m having difficulty creating the service principal
> afs/realm-name@REALM. When I use ipa service-add, I get output thusly:
> [root@ipa-us-east-2 ~]# ipa service-add afs/coyhile....@coyhile.com
> ipa: ERROR: The host 'coyhile.com' does not exist to add a service to.
> [root@ipa-us-east-2 ~]# ipa service-add afs/coyhile....@coyhile.com --force
> ipa: ERROR: The host 'coyhile.com' does not exist to add a service to.
> It’s an arbitrary principal; it really shouldn’t matter…

We should probably add a RFE to decide how to handle/support these cases
officially, but see later.

> So, being a knowledgable administrator of both MIT and Heimdal KDCs, I
> decided to break out kadmin.
> kadmin.local:  ank -randkey -e aes256-cts:normal
> afs/coyhile....@coyhile.com
> WARNING: no policy specified for afs/coyhile....@coyhile.com;
> defaulting to no policy
> add_principal: Kerberos database constraints violated while creating
> "afs/coyhile....@coyhile.com”.

Our DAL plugin, normally, prevents you from adding principals via the
kadmin interface because kadmin does not know how to create a properly
functional user or service object. It would also create them in the
wrong place (under cn=kerberos,<suffix>).

> This brings up two questions:
> Firstly, is there some secret sauce I have to use to make ipa do my
> bidding here?

Glad you asked, there actually is an non orthodox, non supported, secret
way :-)
But use it only for principals you know are really not user principals
or normal service principals.

The trick is to use kadmin.local with the switch:
  -x ipa-setup-override-restrictions

> On a related note is there a way to restrict enctypes?

Yes, you can do that by setting the appropriate supported and default
enctypes in LDAP. They are in cn=YOUR.REALM,cn=kerberos,<suffix> in the
attributes krbDefaultEncSaltTypes and krbSupportedEncSaltTypes

Unfortunately we do not expose this configuration via the UI.

>   Since everything that I’m dealing with is either recent Linux,
> recent Illumos, or (gag!) sufficiently recent Windows, I’d like to
> restrict everything to AES only and get rid of des3 and arcfour-hmac.

Good idea, in the IETF Kitten WG we are also starting the process to
deprecate RC4 and 3DES and we have a ticket to stop using them by
default in FreeIPA too: https://fedorahosted.org/freeipa/ticket/4740


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to