<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 12/17/2012 07:15 PM, Johan Petersson wrote: <blockquote cite="mid:558C15177F5E714F83334217C9A197DF5DB40720@SSC-MBX2.ssc.internal" type="cite"> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <style type="text/css" id="owaParaStyle"></style> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;">Hi, <div><br> </div> <div> <div>When trying to generate a host and nfs principal + keys from the Oracle ZFS 7120/7320 Appliance i get the following error message (note that the information pasted are from a simulator but i get exactly the same error from our real Appliances).</div> <div>I can't generate a key on the IPA server and copy it to the Appliance unfortunately it does not support that since it has a specialised webinterface and CLI.</div> <div>The Appliance wants to generate the principals and keys itself after i add the Kerberos information realm/KDC and admin principal.</div> <div><br> </div> <div>NTP is synced and DNS is working with reverse, no firewalls and SELinux disabled.</div> <div><br> </div> <div>I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers with the same results.</div> <div><br> </div> <div>Any ideas on what is wrong and if it is possible to get it working?</div> <div><br> </div> <div><br> </div> <div>An unanticipated system error occurred:</div> <div><br> </div> <div>failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)</div> </div> </div> </blockquote> <br> Do you have this principal already precreated?<br> It seems that the client tries to create a principal using its kadmin library. I am not sure it would work. <br> The protocol we use in ipa-getkeytab is not a kadmin protocol. As far as I recall it does an LDAP extended operation.<br> <br> <blockquote cite="mid:558C15177F5E714F83334217C9A197DF5DB40720@SSC-MBX2.ssc.internal" type="cite"> <div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;"> <div> <div><br> </div> <div>Exception type: coXmlrpcFault</div> <div>Native message: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)</div> <div>Mapped stack trace:</div> <div><br> </div> <div>Native file: <undefined> line ?</div> <div>Native stack trace:</div> <div>Message: <none></div> <div>Wrapped exception: <none></div> <div>Stack trace:</div> <div><none></div> <div><br> </div> <div> at <a class="moz-txt-link-freetext" href="https://192.168.0.112:215/lib/crazyolait/index.js:370:21">https://192.168.0.112:215/lib/crazyolait/index.js:370:21</a></div> <div>Additional native members:</div> <div> faultCode: 600</div> <div> faultString: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)</div> <div> coStack: top.akMulticall(argv:<array> "[object Object]", abort:true, func:<function> "function (ret, err, idx) {\n\t\t\tif (err && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}")</div> <div>nasServiceNFS.prototype.commit(callback:<function> "function (err) {\n\t\tif (akHandleFault(err, {\n\t\t set: view.aksvc_current_set\n\t\t })) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif (akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}")</div> <div>akSvcView.prototype.commitToServer(enable:false, callback:<function> "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif (view.aksvc_done && !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}")</div> <div>akSvcView.prototype.commit(callback:null)</div> <div><anonymous>(<object> "[object Object]", <object> "[object MouseEvent]")</div> <div><anonymous>(e:<object> "[object MouseEvent]")</div> <div>[akEventListenerWrap,click,undefined](e:<object> "[object MouseEvent]")</div> <div><br> </div> <div> faultName: EAK_KADM5</div> <div><br> </div> <div>In the kadmind.log on the IPA server i get the following:</div> <div><br> </div> <div>Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: kadm5_init, admin@HOME, success, client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112, vers=2, flavor=6</div> <div>Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized request: kadm5_create_principal, host/zfs1.home@HOME, client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112</div> <div><br> </div> <div>And in the krb5kdc.log:</div> <div><br> </div> <div>Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME for krbtgt/HOME@HOME, Client not found in Kerberos database</div> <div>Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home@HOME for krbtgt/HOME@HOME, Client not found in Kerberos database</div> <div><br> </div> <div>If i add the host in IPA i instead get:</div> <div><br> </div> <div>Dec 17 23:48:18 server.home krb5kdc[4016](info): ... CONSTRAINED-DELEGATION s4u-client=admin@HOME</div> <div>Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin@HOME for kadmin/server.home@HOME, Additional pre-authentication required</div> <div>Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes {rep=18 tkt=18 ses=18}, admin@HOME for kadmin/server.home@HOME</div> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>