<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 11/07/2012 5:46 PM, Dmitri Pal wrote: <blockquote cite="mid:4FFDF44D.4030509@redhat.com" type="cite"> <pre wrap="">On 07/11/2012 04:01 PM, Qing Chang wrote: </pre> <blockquote type="cite"> <pre wrap=""> On 11/07/2012 3:23 PM, Simo Sorce wrote: </pre> <blockquote type="cite"> <pre wrap="">On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: </pre> <blockquote type="cite"> <pre wrap="">Because the integration of Kerberos in IPA, Kerberos tools can be used only in limited situations, when creating afs/DOMAIN@REALM with kadmin, I got this error: add_principal: Kerberos database constraints violated while creating "afs/DOMAIN@REALM" </pre> </blockquote> <pre wrap="">Use ipa service-add to add services, never use kadmin.local, it will not work, we hard-coded failures in the DB driver to prevent users from doing that as kadmin doesn't know where to put and how to properly fill up objects. However you can use kadmin.local on a pre-existing principal to obtain a new keytab. Simo. </pre> </blockquote> <pre wrap="">keytab with v4 salt was created successfully using kadmin, unfortunately OpenAFS still spit out th same error message:[root@smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' When --force was used with ipa servcie-add to created afs/DOMAIN@REALM, IPA still does not like the fact the is no host entry: [root@ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service to. </pre> </blockquote> </blockquote> sorry for my ignorance, ktadd accepted -e des-cbc-crc:v4 but created keytab with no salt: ===== kadmin.local: ktadd -e des-cbc-crc:v4 -k /tmp/openafs afs/openafs.sri.utoronto.ca Entry for principal afs/openafs.sri.utoronto.ca with kvno 20, encryption type des-cbc-crc added to keytab WRFILE:/tmp/openafs. kadmin.local: getprinc afs/openafs.sri.utoronto.ca Principal: <a class="moz-txt-link-abbreviated" href="mailto:afs/openafs.sri.utoronto.ca@SRI.UTORONTO.CA">afs/openafs.sri.utoronto.ca@SRI.UTORONTO.CA</a> Expiration date: [never] Last password change: Thu Jul 12 15:08:16 EDT 2012 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Jul 12 15:08:16 EDT 2012 (<a class="moz-txt-link-abbreviated" href="mailto:admin/admin@SRI.UTORONTO.CA">admin/admin@SRI.UTORONTO.CA</a>) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 20, des-cbc-crc, no salt MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] ===== I also tried ":normal" and ":afs3", no salts added for any types. Is the IPA code not doing it, or I am missing something? Thanks, Qing <blockquote cite="mid:4FFDF44D.4030509@redhat.com" type="cite"> <pre wrap=""> Is there any problem of adding host entries into IPA? ipa host-add will create a host entry. It is not mean that you have to do something else with it. </pre> <blockquote type="cite"> <pre wrap=""> Thanks, Qing _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </pre> </blockquote> <pre wrap=""> </pre> </blockquote> </body> </html>