[Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

Dmitri Pal dpal at redhat.com
Tue Dec 18 00:36:29 UTC 2012 

On 12/17/2012 07:15 PM, Johan Petersson wrote:
> Hi,
>
> When trying to generate a host and nfs principal + keys  from the
> Oracle ZFS 7120/7320 Appliance i get the following error message (note
> that the information pasted are from a simulator but i get exactly the
> same error from our real Appliances).
> I can't generate a key on the IPA server and copy it to the Appliance
> unfortunately it does not support that since it has a specialised
> webinterface and CLI.
> The Appliance wants to generate the principals and keys itself after i
> add the Kerberos information realm/KDC and admin principal.
>
> NTP is synced and DNS is working with reverse, no firewalls and
> SELinux disabled.
>
> I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers
> with the same results.
>
> Any ideas on what is wrong and if it is possible to get it working?
>
>
> An unanticipated system error occurred:
>
> failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error:
> 43787522 (Operation requires ``add'' privilege)

Do you have this principal already precreated?
It seems that the client tries to create a principal using its kadmin
library. I am not sure it would work.
The protocol we use in ipa-getkeytab is not a kadmin protocol. As far as
I recall it does an LDAP extended operation.

>
> Exception type: coXmlrpcFault
> Native message: failed to create principal 'host/zfs1.home at HOME':
> libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
> Mapped stack trace:
>
> Native file: <undefined> line ?
> Native stack trace:
> Message: <none>
> Wrapped exception: <none>
> Stack trace:
> <none>
>
>     at https://192.168.0.112:215/lib/crazyolait/index.js:370:21
> Additional native members:
>     faultCode: 600
>     faultString: failed to create principal 'host/zfs1.home at HOME':
> libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
>     coStack: top.akMulticall(argv:<array> "[object Object]",
> abort:true, func:<function> "function (ret, err, idx) {\n\t\t\tif (err
> && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, {
> set: widget.aknsn_vs
> });\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}")
> nasServiceNFS.prototype.commit(callback:<function> "function (err)
> {\n\t\tif (akHandleFault(err, {\n\t\t    set:
> view.aksvc_current_set\n\t\t    })) {\n\t\t\tif
> (callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t
> */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif
> (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t
>    akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif
> (akHandleFault(err)) {\n\t\t\t\tif
> (callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif
> (callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}")
> akSvcView.prototype.commitToServer(enable:false, callback:<function>
> "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif
> (view.aksvc_done &&
> !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}")
> akSvcView.prototype.commit(callback:null)
> <anonymous>(<object> "[object Object]", <object> "[object MouseEvent]")
> <anonymous>(e:<object> "[object MouseEvent]")
> [akEventListenerWrap,click,undefined](e:<object> "[object MouseEvent]")
>
>     faultName: EAK_KADM5
>
> In the kadmind.log on the IPA server i get the following:
>
> Dec 17 23:12:05 server.home kadmind[3614](Notice): Request:
> kadm5_init, admin at HOME, success, client=admin at HOME,
> service=kadmin/server.home at HOME, addr=192.168.0.112, vers=2, flavor=6
> Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized
> request: kadm5_create_principal, host/zfs1.home at HOME,
> client=admin at HOME, service=kadmin/server.home at HOME, addr=192.168.0.112
>
> And in the krb5kdc.log:
>
> Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home at HOME
> for krbtgt/HOME at HOME, Client not found in Kerberos database
> Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home at HOME
> for krbtgt/HOME at HOME, Client not found in Kerberos database
>
> If i add the host in IPA i instead get:
>
> Dec 17 23:48:18 server.home krb5kdc[4016](info): ...
> CONSTRAINED-DELEGATION s4u-client=admin at HOME
> Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin at HOME for
> kadmin/server.home at HOME, Additional pre-authentication required
> Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes
> {rep=18 tkt=18 ses=18}, admin at HOME for kadmin/server.home at HOME
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121217/7f262831/attachment.htm>

More information about the Freeipa-users mailing list