[Freeipa-users] Solaris kerberos - fail

Sigbjorn Lie sigbjorn at nixtra.com
Wed Feb 15 19:49:11 UTC 2012 

Hi,

I see that the documentation for configuring kerberos on Solaris has 
changed since the last time I looked.

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10

kclient fails if I pre-create the account in IPA, and attempt to kclient 
configure the client. If I don't, it successfully retreives a keytab for 
the host, but I'm unable to add the host as a host in IPA as the 
kerberos principal is already used.

I suppose there is a LDAP ACL preventing me from doing this?

Can I work around this somehow, having the host account in IPA and using 
kclient to configure Solaris hosts at the same time?




I have edited /var/kerberos/krb5kdc/kadm5.acl :
------------------------------------------------------------------------------------------
*/admin at IX.TEST.COM           *
------------------------------------------------------------------------------------------



------------------------------------------------------------------------------------------
# kclient

Starting client setup

---------------------------------------------------
Do you want to use DNS for kerberos lookups ? [y/n]: n
         No action performed.
Enter the Kerberos realm: IX.TEST.COM
Specify the KDC hostname for the above realm: ipa01.ix.test.com
ipa01.ix.test.com

Note, this system and the KDC's time must be within 5 minutes of each 
other for Kerberos to function.  Both systems should run some form of 
time synchronization system like Network Time Protocol (NTP).

Setting up /etc/krb5/krb5.conf.

Enter the krb5 administrative principal to be used: soladmin
Obtaining TGT for soladmin/admin ...
Password for soladmin/admin at IX.TEST.COM:

Do you have multiple DNS domains spanning the Kerberos realm 
IX.NIXTRA.COM ? [y/n]: n
         No action performed.

Do you plan on doing Kerberized nfs ? [y/n]: n
         No action performed.

host/server2.ix.nixtra.com entry already exists in KDC database.
Authenticating as principal soladmin/admin at IX.NIXTRA.COM with existing 
credentials.
kadmin: Insufficient access to perform requested operation while 
changing host/server2.ix.nixtra.com's key

Administration credentials NOT DESTROYED.

kadmin: ktadd of host/server2.ix.test.com failed, exiting.
---------------------------------------------------
Setup FAILED.
------------------------------------------------------------------------------------------


 From /var/log/kadmind.log:
------------------------------------------------------------------------------------------
Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request: 
kadm5_init, soladmin/admin at IX.TEST.COM, success, 
client=soladmin/admin at IX.TEST.COM, 
service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238, 
vers=2, flavor=6
Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request: 
kadm5_randkey_principal, host/server2.ix.test.com at IX.TEST.COM, User 
modification failed: Insufficient access, 
client=soladmin/admin at IX.TEST.COM, 
service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238
------------------------------------------------------------------------------------------

More information about the Freeipa-users mailing list