<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/10/2013 02:54 AM, Mahmoud wrote:
<blockquote
cite="mid:CAOq9=r2Pk=JdG4PMPCGV8KpYQ=UhG+td8ZuKWsS8i_=n310BPg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>Hello,<br>
<br>
</div>
I installed Fedora 19.<br>
Each time I change /usr/sbin/krb5kdc, it will not start again.
I get following error:<br>
krb5kdc: Server error - while fetching master key K/M for
realm <a moz-do-not-send="true" href="http://EXAMPLE.COM"
target="_blank">EXAMPLE.COM</a><br>
<br>
</div>
Via reinstalling IPA, the problem will be fixed but I would like
to fix it without reinstalling IPA. When I reinstalled IPA, all
previous stored data has been deleted. Is there any way to
reconfigure Kerberos without deleting database data?<br>
Could you help me, please? <br>
</div>
</blockquote>
<br>
I am not sure what you are trying to do. It seems that you are
trying to have Kerberos with DB and IPA at the same time on the same
machine. I am not sure that would work.<br>
<br>
<blockquote
cite="mid:CAOq9=r2Pk=JdG4PMPCGV8KpYQ=UhG+td8ZuKWsS8i_=n310BPg@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Sep 10, 2013 at 9:49 AM,
Mahmoud <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:gh.mdgh@gmail.com" target="_blank">gh.mdgh@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>Hello,<br>
<br>
</div>
<div>Thank you for your response.<br>
</div>
When a user get tgt ticket, he can get service tickets
without typing password. I like to have several level of
users. As high level users have more access to
resources, I want to grant a ticket with less validation
time. In other word, I want to have several ticket life
time due to user levels.<br>
<br>
</div>
Best regards<br>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Sep 10, 2013 at 5:24
AM, Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 09/09/2013 12:49 PM, Mahmoud wrote:
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>Hello Mr. <span name="Dmitri
Pal">Dmitri Pal<br>
<br>
</span></div>
<span name="Dmitri Pal">Thank you very
much for your help.<br>
<br>
</span></div>
<div><span name="Dmitri Pal">I tried to
change source code to have more
option. It was difficult for me to
understand FreeIPA source code.
Hence, I decided to change Kerberos
source code. I want to add more
features to Kerberos. For example, I
like to have two (or several) types
of ticket expiration.<br>
</span></div>
</div>
</div>
</blockquote>
<br>
</div>
What do you mean by several types of ticket
expiration?<br>
Can you please give an example?
<div>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div><span name="Dmitri Pal"> </span></div>
<span name="Dmitri Pal"><br>
Thanks<br>
</span></div>
<span name="Dmitri Pal">Best regards<br>
</span></div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Sep 9,
2013 at 8:13 PM, Dmitri Pal <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div> On 09/09/2013 10:55 AM,
Mahmoud wrote:
<blockquote type="cite">
<div dir="ltr">
<div>
<div>Hello,<br>
<br>
</div>
Thank you very much for
your time and attention.<br>
<br>
</div>
I changed client side code
(kinit.c) but it requires to
change all clients. Now, I
decided to change server
side code.<br>
</div>
</blockquote>
<br>
</div>
It seems that you should try to
contribute code upstream if you
want to end up with any kind of
support of your enhancements,
otherwise you would have to
maintain your own version.
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div
class="gmail_extra">I
thought it may be
better choice.
Should I change
policy.c file to
change ticket
policies? </div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
What policies do you want to
change and why? You might have
described your intent on some
other thread in some other list
but not here.
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div
class="gmail_extra">It
does not require
recompiling
krb5kdc?<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
I suspect it does...
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div
class="gmail_extra">I
install FreeIPA on
Fedora 18, When I
execute klist -V
command, hence get
following result:<br>
Kerberos 5 version
1.10.3 <br>
</div>
<div
class="gmail_extra"><br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
Fedora 19 has 1.11<br>
<br>
IMO the best would be to have a
details explanation of what you
are trying to accomplish.<br>
This way we would be able to help
you with the right approach.<br>
But it seems that building custom
code might not be best option.<br>
<br>
Thanks<br>
Dmitri<br>
<br>
<br>
<blockquote type="cite">
<div>
<div dir="ltr">
<div>
<div>
<div>
<div>
<div
class="gmail_extra">Best
regards.<br>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Mon, Sep 9, 2013
at 6:00 PM, Simo
Sorce <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:simo@redhat.com" target="_blank">simo@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px
0px 0px
0.8ex;border-left:1px
solid
rgb(204,204,204);padding-left:1ex">
<div>On Mon,
2013-09-09 at
08:07 +0430,
Mahmoud wrote:<br>
> Hello
Simo<br>
><br>
><br>
> The
previous
problem
occurred due
to installing
krb5-1.11.3. I
install<br>
>
krb5-1.10.6
and copy
ipadb.so in
appropriate
directory,
hence the<br>
> problem
has been
solved. Is it
all right?<br>
<br>
<br>
</div>
No it is not,
we require
1.11.3 for OTP
support in the
latest
FreeIPA.<br>
<br>
Seriously,
chaingin the
KDC is the
last thing you
want to do to
solve<br>
your problem.<br>
<br>
Have you
looked into
creating
custom ticket
policies for
your users ?<br>
<br>
Why do you
need to change
the KDC to do
that ?<br>
<span><font
color="#888888"><br>
Simo.<br>
</font></span>
<div>><br>
> Thank
you.<br>
><br>
> Best
regards.<br>
><br>
><br>
><br>
> On Mon,
Sep 9, 2013 at
7:47 AM, Luke
Howard <<a
moz-do-not-send="true" href="mailto:lukeh@padl.com" target="_blank">lukeh@padl.com</a>>
wrote:<br>
><br>
>
On 09/09/2013,
at 1:08 PM,
Mahmoud <<a
moz-do-not-send="true" href="mailto:gh.mdgh@gmail.com" target="_blank">gh.mdgh@gmail.com</a>>
wrote:<br>
><br>
>
> I thought
FreeIpa uses
krb5-1.10.3,
but I use
klist -V get<br>
>
following
result:<br>
>
> Kerberos
5 version
1.10.3<br>
><br>
><br>
>
Aren't these
the same
thing?<br>
><br>
>
-- Luke<br>
><br>
><br>
<br>
<br>
</div>
<div>
<div>--<br>
Simo Sorce *
Red Hat, Inc *
New York<br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_______________________________________________
Freeipa-devel mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<div> <br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
<br>
_______________________________________________<br>
Freeipa-devel mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-devel@redhat.com"
target="_blank">Freeipa-devel@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-devel"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>