[Freeipa-users] Solaris kerberos - fail
Rob Crittenden
rcritten at redhat.com
Wed Feb 15 20:06:09 UTC 2012
Sigbjorn Lie wrote:
> Hi,
>
> I see that the documentation for configuring kerberos on Solaris has
> changed since the last time I looked.
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
>
>
> kclient fails if I pre-create the account in IPA, and attempt to kclient
> configure the client. If I don't, it successfully retreives a keytab for
> the host, but I'm unable to add the host as a host in IPA as the
> kerberos principal is already used.
>
> I suppose there is a LDAP ACL preventing me from doing this?
>
> Can I work around this somehow, having the host account in IPA and using
> kclient to configure Solaris hosts at the same time?
>
>
>
>
> I have edited /var/kerberos/krb5kdc/kadm5.acl :
> ------------------------------------------------------------------------------------------
>
> */admin at IX.TEST.COM *
> ------------------------------------------------------------------------------------------
>
>
>
>
> ------------------------------------------------------------------------------------------
>
> # kclient
>
> Starting client setup
>
> ---------------------------------------------------
> Do you want to use DNS for kerberos lookups ? [y/n]: n
> No action performed.
> Enter the Kerberos realm: IX.TEST.COM
> Specify the KDC hostname for the above realm: ipa01.ix.test.com
> ipa01.ix.test.com
>
> Note, this system and the KDC's time must be within 5 minutes of each
> other for Kerberos to function. Both systems should run some form of
> time synchronization system like Network Time Protocol (NTP).
>
> Setting up /etc/krb5/krb5.conf.
>
> Enter the krb5 administrative principal to be used: soladmin
> Obtaining TGT for soladmin/admin ...
> Password for soladmin/admin at IX.TEST.COM:
>
> Do you have multiple DNS domains spanning the Kerberos realm
> IX.NIXTRA.COM ? [y/n]: n
> No action performed.
>
> Do you plan on doing Kerberized nfs ? [y/n]: n
> No action performed.
>
> host/server2.ix.nixtra.com entry already exists in KDC database.
> Authenticating as principal soladmin/admin at IX.NIXTRA.COM with existing
> credentials.
> kadmin: Insufficient access to perform requested operation while
> changing host/server2.ix.nixtra.com's key
>
> Administration credentials NOT DESTROYED.
>
> kadmin: ktadd of host/server2.ix.test.com failed, exiting.
> ---------------------------------------------------
> Setup FAILED.
> ------------------------------------------------------------------------------------------
>
>
>
> From /var/log/kadmind.log:
> ------------------------------------------------------------------------------------------
>
> Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request:
> kadm5_init, soladmin/admin at IX.TEST.COM, success,
> client=soladmin/admin at IX.TEST.COM,
> service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238,
> vers=2, flavor=6
> Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request:
> kadm5_randkey_principal, host/server2.ix.test.com at IX.TEST.COM, User
> modification failed: Insufficient access,
> client=soladmin/admin at IX.TEST.COM,
> service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238
These have been the Solaris directions for quite a long time.
What version of freeIPA does this work against?
You might try adding soladmin to the Host Administrators role and see if
it works then. If it does you'll probably want to create a new role with
more limited permissions.
I would imagine that a host added this way would not appear as an
IPA-managed host (though adding the host first and using this to just
add the key should be ok).
rob
More information about the Freeipa-users
mailing list