[Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

Johan Petersson Johan.Petersson at sscspace.com
Tue Dec 18 00:15:42 UTC 2012 

Hi,

When trying to generate a host and nfs principal + keys  from the Oracle ZFS 7120/7320 Appliance i get the following error message (note that the information pasted are from a simulator but i get exactly the same error from our real Appliances).
I can't generate a key on the IPA server and copy it to the Appliance unfortunately it does not support that since it has a specialised webinterface and CLI.
The Appliance wants to generate the principals and keys itself after i add the Kerberos information realm/KDC and admin principal.

NTP is synced and DNS is working with reverse, no firewalls and SELinux disabled.

I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers with the same results.

Any ideas on what is wrong and if it is possible to get it working?


An unanticipated system error occurred:

failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)

Exception type: coXmlrpcFault
Native message: failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
Mapped stack trace:

Native file: <undefined> line ?
Native stack trace:
Message: <none>
Wrapped exception: <none>
Stack trace:
<none>

    at https://192.168.0.112:215/lib/crazyolait/index.js:370:21
Additional native members:
    faultCode: 600
    faultString: failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
    coStack: top.akMulticall(argv:<array> "[object Object]", abort:true, func:<function> "function (ret, err, idx) {\n\t\t\tif (err && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}")
nasServiceNFS.prototype.commit(callback:<function> "function (err) {\n\t\tif (akHandleFault(err, {\n\t\t    set: view.aksvc_current_set\n\t\t    })) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t    akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif (akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}")
akSvcView.prototype.commitToServer(enable:false, callback:<function> "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif (view.aksvc_done && !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}")
akSvcView.prototype.commit(callback:null)
<anonymous>(<object> "[object Object]", <object> "[object MouseEvent]")
<anonymous>(e:<object> "[object MouseEvent]")
[akEventListenerWrap,click,undefined](e:<object> "[object MouseEvent]")

    faultName: EAK_KADM5

In the kadmind.log on the IPA server i get the following:

Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: kadm5_init, admin at HOME, success, client=admin at HOME, service=kadmin/server.home at HOME, addr=192.168.0.112, vers=2, flavor=6
Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized request: kadm5_create_principal, host/zfs1.home at HOME, client=admin at HOME, service=kadmin/server.home at HOME, addr=192.168.0.112

And in the krb5kdc.log:

Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home at HOME for krbtgt/HOME at HOME, Client not found in Kerberos database
Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home at HOME for krbtgt/HOME at HOME, Client not found in Kerberos database

If i add the host in IPA i instead get:

Dec 17 23:48:18 server.home krb5kdc[4016](info): ... CONSTRAINED-DELEGATION s4u-client=admin at HOME
Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin at HOME for kadmin/server.home at HOME, Additional pre-authentication required
Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes {rep=18 tkt=18 ses=18}, admin at HOME for kadmin/server.home at HOME
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121218/aa8c09ef/attachment.htm>

More information about the Freeipa-users mailing list