<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 12/17/2012 07:15 PM, Johan Petersson wrote:
<blockquote
cite="mid:558C15177F5E714F83334217C9A197DF5DB40720@SSC-MBX2.ssc.internal"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<style type="text/css" id="owaParaStyle"></style>
<div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0,
0); font-size: 10pt;">Hi,
<div><br>
</div>
<div>
<div>When trying to generate a host and nfs principal + keys
from the Oracle ZFS 7120/7320 Appliance i get the following
error message (note that the information pasted are from a
simulator but i get exactly the same error from our real
Appliances).</div>
<div>I can't generate a key on the IPA server and copy it to
the Appliance unfortunately it does not support that since
it has a specialised webinterface and CLI.</div>
<div>The Appliance wants to generate the principals and keys
itself after i add the Kerberos information realm/KDC and
admin principal.</div>
<div><br>
</div>
<div>NTP is synced and DNS is working with reverse, no
firewalls and SELinux disabled.</div>
<div><br>
</div>
<div>I have tested on both Red Hat/CentOS 6.3 and fedora 17 as
IPA servers with the same results.</div>
<div><br>
</div>
<div>Any ideas on what is wrong and if it is possible to get
it working?</div>
<div><br>
</div>
<div><br>
</div>
<div>An unanticipated system error occurred:</div>
<div><br>
</div>
<div>failed to create principal 'host/zfs1.home@HOME':
libkadm5clnt error: 43787522 (Operation requires ``add''
privilege)</div>
</div>
</div>
</blockquote>
<br>
Do you have this principal already precreated?<br>
It seems that the client tries to create a principal using its
kadmin library. I am not sure it would work. <br>
The protocol we use in ipa-getkeytab is not a kadmin protocol. As
far as I recall it does an LDAP extended operation.<br>
<br>
<blockquote
cite="mid:558C15177F5E714F83334217C9A197DF5DB40720@SSC-MBX2.ssc.internal"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<div>
<div><br>
</div>
<div>Exception type: coXmlrpcFault</div>
<div>Native message: failed to create principal
'host/zfs1.home@HOME': libkadm5clnt error: 43787522
(Operation requires ``add'' privilege)</div>
<div>Mapped stack trace:</div>
<div><br>
</div>
<div>Native file: <undefined> line ?</div>
<div>Native stack trace:</div>
<div>Message: <none></div>
<div>Wrapped exception: <none></div>
<div>Stack trace:</div>
<div><none></div>
<div><br>
</div>
<div> at
<a class="moz-txt-link-freetext" href="https://192.168.0.112:215/lib/crazyolait/index.js:370:21">https://192.168.0.112:215/lib/crazyolait/index.js:370:21</a></div>
<div>Additional native members:</div>
<div> faultCode: 600</div>
<div> faultString: failed to create principal
'host/zfs1.home@HOME': libkadm5clnt error: 43787522
(Operation requires ``add'' privilege)</div>
<div> coStack: top.akMulticall(argv:<array> "[object
Object]", abort:true, func:<function> "function (ret,
err, idx) {\n\t\t\tif (err && err.faultName !==
'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { set:
widget.aknsn_vs
});\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}")</div>
<div>nasServiceNFS.prototype.commit(callback:<function>
"function (err) {\n\t\tif (akHandleFault(err, {\n\t\t
set: view.aksvc_current_set\n\t\t })) {\n\t\t\tif
(callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t
*/\n\t\tview.changed(false);\n\n\t\tif (enable === false)
{\n\t\t\tif
(callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t
akSvc.AK_SVC_STATE_ONLINE, function (ret, err)
{\n\t\t\tif (akHandleFault(err)) {\n\t\t\t\tif
(callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else
{\n\t\t\t\tif
(callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}")</div>
<div>akSvcView.prototype.commitToServer(enable:false,
callback:<function> "function (error)
{\n\t\t\takStopWaiting(function () {\n\t\t\t\tif
(view.aksvc_done &&
!error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}")</div>
<div>akSvcView.prototype.commit(callback:null)</div>
<div><anonymous>(<object> "[object Object]",
<object> "[object MouseEvent]")</div>
<div><anonymous>(e:<object> "[object MouseEvent]")</div>
<div>[akEventListenerWrap,click,undefined](e:<object>
"[object MouseEvent]")</div>
<div><br>
</div>
<div> faultName: EAK_KADM5</div>
<div><br>
</div>
<div>In the kadmind.log on the IPA server i get the following:</div>
<div><br>
</div>
<div>Dec 17 23:12:05 server.home kadmind[3614](Notice):
Request: kadm5_init, admin@HOME, success, client=admin@HOME,
service=kadmin/server.home@HOME, addr=192.168.0.112, vers=2,
flavor=6</div>
<div>Dec 17 23:12:05 server.home kadmind[3614](Notice):
Unauthorized request: kadm5_create_principal,
host/zfs1.home@HOME, client=admin@HOME,
service=kadmin/server.home@HOME, addr=192.168.0.112</div>
<div><br>
</div>
<div>And in the krb5kdc.log:</div>
<div><br>
</div>
<div>Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ
(7 etypes {18 17 16 23 24 3 1}) 192.168.0.112:
CLIENT_NOT_FOUND: root/zfs1.home@HOME for krbtgt/HOME@HOME,
Client not found in Kerberos database</div>
<div>Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ
(7 etypes {18 17 16 23 24 3 1}) 192.168.0.112:
CLIENT_NOT_FOUND: host/zfs1.home@HOME for krbtgt/HOME@HOME,
Client not found in Kerberos database</div>
<div><br>
</div>
<div>If i add the host in IPA i instead get:</div>
<div><br>
</div>
<div>Dec 17 23:48:18 server.home krb5kdc[4016](info): ...
CONSTRAINED-DELEGATION s4u-client=admin@HOME</div>
<div>Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ
(7 etypes {18 17 16 23 24 3 1}) 192.168.0.112:
NEEDED_PREAUTH: admin@HOME for kadmin/server.home@HOME,
Additional pre-authentication required</div>
<div>Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ
(7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: ISSUE:
authtime 1355784515, etypes {rep=18 tkt=18 ses=18},
admin@HOME for kadmin/server.home@HOME</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>