[Freeipa-devel] ipadb.so
Dmitri Pal
dpal at redhat.com
Tue Sep 10 15:00:50 UTC 2013
On 09/10/2013 02:54 AM, Mahmoud wrote:
> Hello,
>
> I installed Fedora 19.
> Each time I change /usr/sbin/krb5kdc, it will not start again. I get
> following error:
> krb5kdc: Server error - while fetching master key K/M for realm
> EXAMPLE.COM <http://EXAMPLE.COM>
>
> Via reinstalling IPA, the problem will be fixed but I would like to
> fix it without reinstalling IPA. When I reinstalled IPA, all previous
> stored data has been deleted. Is there any way to reconfigure
> Kerberos without deleting database data?
> Could you help me, please?
I am not sure what you are trying to do. It seems that you are trying to
have Kerberos with DB and IPA at the same time on the same machine. I am
not sure that would work.
>
>
> On Tue, Sep 10, 2013 at 9:49 AM, Mahmoud <gh.mdgh at gmail.com
> <mailto:gh.mdgh at gmail.com>> wrote:
>
> Hello,
>
> Thank you for your response.
> When a user get tgt ticket, he can get service tickets without
> typing password. I like to have several level of users. As high
> level users have more access to resources, I want to grant a
> ticket with less validation time. In other word, I want to have
> several ticket life time due to user levels.
>
> Best regards
>
>
> On Tue, Sep 10, 2013 at 5:24 AM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 09/09/2013 12:49 PM, Mahmoud wrote:
>> Hello Mr. Dmitri Pal
>>
>> Thank you very much for your help.
>>
>> I tried to change source code to have more option. It was
>> difficult for me to understand FreeIPA source code. Hence, I
>> decided to change Kerberos source code. I want to add more
>> features to Kerberos. For example, I like to have two (or
>> several) types of ticket expiration.
>
> What do you mean by several types of ticket expiration?
> Can you please give an example?
>
>
>>
>> Thanks
>> Best regards
>>
>>
>> On Mon, Sep 9, 2013 at 8:13 PM, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>> On 09/09/2013 10:55 AM, Mahmoud wrote:
>>> Hello,
>>>
>>> Thank you very much for your time and attention.
>>>
>>> I changed client side code (kinit.c) but it requires to
>>> change all clients. Now, I decided to change server side
>>> code.
>>
>> It seems that you should try to contribute code upstream
>> if you want to end up with any kind of support of your
>> enhancements, otherwise you would have to maintain your
>> own version.
>>
>>
>>> I thought it may be better choice. Should I change
>>> policy.c file to change ticket policies?
>>
>> What policies do you want to change and why? You might
>> have described your intent on some other thread in some
>> other list but not here.
>>
>>
>>> It does not require recompiling krb5kdc?
>>
>> I suspect it does...
>>
>>
>>> I install FreeIPA on Fedora 18, When I execute klist -V
>>> command, hence get following result:
>>> Kerberos 5 version 1.10.3
>>>
>> Fedora 19 has 1.11
>>
>> IMO the best would be to have a details explanation of
>> what you are trying to accomplish.
>> This way we would be able to help you with the right
>> approach.
>> But it seems that building custom code might not be best
>> option.
>>
>> Thanks
>> Dmitri
>>
>>
>>> Best regards.
>>>
>>> On Mon, Sep 9, 2013 at 6:00 PM, Simo Sorce
>>> <simo at redhat.com <mailto:simo at redhat.com>> wrote:
>>>
>>> On Mon, 2013-09-09 at 08:07 +0430, Mahmoud wrote:
>>> > Hello Simo
>>> >
>>> >
>>> > The previous problem occurred due to installing
>>> krb5-1.11.3. I install
>>> > krb5-1.10.6 and copy ipadb.so in appropriate
>>> directory, hence the
>>> > problem has been solved. Is it all right?
>>>
>>>
>>> No it is not, we require 1.11.3 for OTP support in
>>> the latest FreeIPA.
>>>
>>> Seriously, chaingin the KDC is the last thing you
>>> want to do to solve
>>> your problem.
>>>
>>> Have you looked into creating custom ticket policies
>>> for your users ?
>>>
>>> Why do you need to change the KDC to do that ?
>>>
>>> Simo.
>>> >
>>> > Thank you.
>>> >
>>> > Best regards.
>>> >
>>> >
>>> >
>>> > On Mon, Sep 9, 2013 at 7:47 AM, Luke Howard
>>> <lukeh at padl.com <mailto:lukeh at padl.com>> wrote:
>>> >
>>> > On 09/09/2013, at 1:08 PM, Mahmoud
>>> <gh.mdgh at gmail.com <mailto:gh.mdgh at gmail.com>> wrote:
>>> >
>>> > > I thought FreeIpa uses krb5-1.10.3, but
>>> I use klist -V get
>>> > following result:
>>> > > Kerberos 5 version 1.10.3
>>> >
>>> >
>>> > Aren't these the same thing?
>>> >
>>> > -- Luke
>>> >
>>> >
>>>
>>>
>>> --
>>> Simo Sorce * Red Hat, Inc * New York
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>>
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130910/baa48afe/attachment.htm>
More information about the Freeipa-devel
mailing list