<div dir="ltr"><div><div>Hello,<br><br></div>I installed Fedora 19.<br>Each time I change /usr/sbin/krb5kdc, it will not start again. I get following error:<br>krb5kdc: Server error - while fetching master key K/M for realm <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a><br>
<br></div>Via reinstalling IPA, the problem will be fixed but I would like to fix it without reinstalling IPA. When I reinstalled IPA, all previous stored data has been deleted. Is there any way to reconfigure Kerberos without deleting database data?<br>
Could you help me, please? <br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Sep 10, 2013 at 9:49 AM, Mahmoud <span dir="ltr"><<a href="mailto:gh.mdgh@gmail.com" target="_blank">gh.mdgh@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Hello,<br><br></div><div>Thank you for your response.<br></div>When a user get tgt ticket, he can get service tickets without typing password. I like to have several level of users. As high level users have more access to resources, I want to grant a ticket with less validation time. In other word, I want to have several ticket life time due to user levels.<br>
<br></div>Best regards<br>
</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Sep 10, 2013 at 5:24 AM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div>
On 09/09/2013 12:49 PM, Mahmoud wrote:
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>Hello Mr. <span name="Dmitri Pal">Dmitri Pal<br>
<br>
</span></div>
<span name="Dmitri Pal">Thank you very much for
your help.<br>
<br>
</span></div>
<div><span name="Dmitri Pal">I tried to change source
code to have more option. It was difficult for me to
understand FreeIPA source code. Hence, I decided to change
Kerberos source code. I want to add more features to
Kerberos. For example, I like to have two (or several)
types of ticket expiration.<br>
</span></div>
</div>
</div>
</blockquote>
<br></div>
What do you mean by several types of ticket expiration?<br>
Can you please give an example?<div><div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div><span name="Dmitri Pal">
</span></div>
<span name="Dmitri Pal"><br>
Thanks<br>
</span></div>
<span name="Dmitri Pal">Best regards<br>
</span></div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Sep 9, 2013 at 8:13 PM, Dmitri
Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 09/09/2013 10:55 AM, Mahmoud wrote:
<blockquote type="cite">
<div dir="ltr">
<div>
<div>Hello,<br>
<br>
</div>
Thank you very much for your time and attention.<br>
<br>
</div>
I changed client side code (kinit.c) but it requires
to change all clients. Now, I decided to change
server side code.<br>
</div>
</blockquote>
<br>
</div>
It seems that you should try to contribute code upstream
if you want to end up with any kind of support of your
enhancements, otherwise you would have to maintain your
own version.
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div class="gmail_extra">I thought it may be
better choice. Should I change policy.c
file to change ticket policies? </div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
What policies do you want to change and why? You might
have described your intent on some other thread in some
other list but not here.
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div class="gmail_extra">It does not require
recompiling krb5kdc?<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
I suspect it does...
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div class="gmail_extra">I install FreeIPA
on Fedora 18, When I execute klist -V
command, hence get following result:<br>
Kerberos 5 version 1.10.3 <br>
</div>
<div class="gmail_extra"><br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
Fedora 19 has 1.11<br>
<br>
IMO the best would be to have a details explanation of
what you are trying to accomplish.<br>
This way we would be able to help you with the right
approach.<br>
But it seems that building custom code might not be best
option.<br>
<br>
Thanks<br>
Dmitri<br>
<br>
<br>
<blockquote type="cite">
<div>
<div dir="ltr">
<div>
<div>
<div>
<div>
<div class="gmail_extra">Best regards.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 9,
2013 at 6:00 PM, Simo Sorce <span dir="ltr"><<a href="mailto:simo@redhat.com" target="_blank">simo@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>On Mon, 2013-09-09 at 08:07
+0430, Mahmoud wrote:<br>
> Hello Simo<br>
><br>
><br>
> The previous problem occurred
due to installing krb5-1.11.3. I
install<br>
> krb5-1.10.6 and copy ipadb.so
in appropriate directory, hence the<br>
> problem has been solved. Is it
all right?<br>
<br>
<br>
</div>
No it is not, we require 1.11.3 for
OTP support in the latest FreeIPA.<br>
<br>
Seriously, chaingin the KDC is the
last thing you want to do to solve<br>
your problem.<br>
<br>
Have you looked into creating custom
ticket policies for your users ?<br>
<br>
Why do you need to change the KDC to
do that ?<br>
<span><font color="#888888"><br>
Simo.<br>
</font></span>
<div>><br>
> Thank you.<br>
><br>
> Best regards.<br>
><br>
><br>
><br>
> On Mon, Sep 9, 2013 at 7:47 AM,
Luke Howard <<a href="mailto:lukeh@padl.com" target="_blank">lukeh@padl.com</a>>
wrote:<br>
><br>
> On 09/09/2013, at 1:08
PM, Mahmoud <<a href="mailto:gh.mdgh@gmail.com" target="_blank">gh.mdgh@gmail.com</a>>
wrote:<br>
><br>
> > I thought FreeIpa
uses krb5-1.10.3, but I use klist -V
get<br>
> following result:<br>
> > Kerberos 5 version
1.10.3<br>
><br>
><br>
> Aren't these the same
thing?<br>
><br>
> -- Luke<br>
><br>
><br>
<br>
<br>
</div>
<div>
<div>--<br>
Simo Sorce * Red Hat, Inc * New
York<br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_______________________________________________
Freeipa-devel mailing list
<a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<div> <br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
<br>
_______________________________________________<br>
Freeipa-devel mailing list<br>
<a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>