[Freeipa-users] Solaris kerberos - fail
Sigbjorn Lie
sigbjorn at nixtra.com
Wed Feb 15 19:49:11 UTC 2012
Hi,
I see that the documentation for configuring kerberos on Solaris has
changed since the last time I looked.
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
kclient fails if I pre-create the account in IPA, and attempt to kclient
configure the client. If I don't, it successfully retreives a keytab for
the host, but I'm unable to add the host as a host in IPA as the
kerberos principal is already used.
I suppose there is a LDAP ACL preventing me from doing this?
Can I work around this somehow, having the host account in IPA and using
kclient to configure Solaris hosts at the same time?
I have edited /var/kerberos/krb5kdc/kadm5.acl :
------------------------------------------------------------------------------------------
*/admin at IX.TEST.COM *
------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------
# kclient
Starting client setup
---------------------------------------------------
Do you want to use DNS for kerberos lookups ? [y/n]: n
No action performed.
Enter the Kerberos realm: IX.TEST.COM
Specify the KDC hostname for the above realm: ipa01.ix.test.com
ipa01.ix.test.com
Note, this system and the KDC's time must be within 5 minutes of each
other for Kerberos to function. Both systems should run some form of
time synchronization system like Network Time Protocol (NTP).
Setting up /etc/krb5/krb5.conf.
Enter the krb5 administrative principal to be used: soladmin
Obtaining TGT for soladmin/admin ...
Password for soladmin/admin at IX.TEST.COM:
Do you have multiple DNS domains spanning the Kerberos realm
IX.NIXTRA.COM ? [y/n]: n
No action performed.
Do you plan on doing Kerberized nfs ? [y/n]: n
No action performed.
host/server2.ix.nixtra.com entry already exists in KDC database.
Authenticating as principal soladmin/admin at IX.NIXTRA.COM with existing
credentials.
kadmin: Insufficient access to perform requested operation while
changing host/server2.ix.nixtra.com's key
Administration credentials NOT DESTROYED.
kadmin: ktadd of host/server2.ix.test.com failed, exiting.
---------------------------------------------------
Setup FAILED.
------------------------------------------------------------------------------------------
From /var/log/kadmind.log:
------------------------------------------------------------------------------------------
Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request:
kadm5_init, soladmin/admin at IX.TEST.COM, success,
client=soladmin/admin at IX.TEST.COM,
service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238,
vers=2, flavor=6
Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request:
kadm5_randkey_principal, host/server2.ix.test.com at IX.TEST.COM, User
modification failed: Insufficient access,
client=soladmin/admin at IX.TEST.COM,
service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238
------------------------------------------------------------------------------------------
More information about the Freeipa-users
mailing list