[Freeipa-users] Solaris kerberos - fail

Sigbjorn Lie sigbjorn at nixtra.com
Wed Feb 15 20:23:48 UTC 2012 

On 02/15/2012 09:06 PM, Rob Crittenden wrote:
> Sigbjorn Lie wrote:
>> Hi,
>>
>> I see that the documentation for configuring kerberos on Solaris has
>> changed since the last time I looked.
>>
>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 
>>
>>
>>
>> kclient fails if I pre-create the account in IPA, and attempt to kclient
>> configure the client. If I don't, it successfully retreives a keytab for
>> the host, but I'm unable to add the host as a host in IPA as the
>> kerberos principal is already used.
>>
>> I suppose there is a LDAP ACL preventing me from doing this?
>>
>> Can I work around this somehow, having the host account in IPA and using
>> kclient to configure Solaris hosts at the same time?
>>
>>
>>
>>
>> I have edited /var/kerberos/krb5kdc/kadm5.acl :
>> ------------------------------------------------------------------------------------------ 
>>
>>
>> */admin at IX.TEST.COM *
>> ------------------------------------------------------------------------------------------ 
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------------------ 
>>
>>
>> # kclient
>>
>> Starting client setup
>>
>> ---------------------------------------------------
>> Do you want to use DNS for kerberos lookups ? [y/n]: n
>> No action performed.
>> Enter the Kerberos realm: IX.TEST.COM
>> Specify the KDC hostname for the above realm: ipa01.ix.test.com
>> ipa01.ix.test.com
>>
>> Note, this system and the KDC's time must be within 5 minutes of each
>> other for Kerberos to function. Both systems should run some form of
>> time synchronization system like Network Time Protocol (NTP).
>>
>> Setting up /etc/krb5/krb5.conf.
>>
>> Enter the krb5 administrative principal to be used: soladmin
>> Obtaining TGT for soladmin/admin ...
>> Password for soladmin/admin at IX.TEST.COM:
>>
>> Do you have multiple DNS domains spanning the Kerberos realm
>> IX.NIXTRA.COM ? [y/n]: n
>> No action performed.
>>
>> Do you plan on doing Kerberized nfs ? [y/n]: n
>> No action performed.
>>
>> host/server2.ix.nixtra.com entry already exists in KDC database.
>> Authenticating as principal soladmin/admin at IX.NIXTRA.COM with existing
>> credentials.
>> kadmin: Insufficient access to perform requested operation while
>> changing host/server2.ix.nixtra.com's key
>>
>> Administration credentials NOT DESTROYED.
>>
>> kadmin: ktadd of host/server2.ix.test.com failed, exiting.
>> ---------------------------------------------------
>> Setup FAILED.
>> ------------------------------------------------------------------------------------------ 
>>
>>
>>
>>
>>  From /var/log/kadmind.log:
>> ------------------------------------------------------------------------------------------ 
>>
>>
>> Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request:
>> kadm5_init, soladmin/admin at IX.TEST.COM, success,
>> client=soladmin/admin at IX.TEST.COM,
>> service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238,
>> vers=2, flavor=6
>> Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request:
>> kadm5_randkey_principal, host/server2.ix.test.com at IX.TEST.COM, User
>> modification failed: Insufficient access,
>> client=soladmin/admin at IX.TEST.COM,
>> service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238
>
> These have been the Solaris directions for quite a long time.
>
> What version of freeIPA does this work against?
>
> You might try adding soladmin to the Host Administrators role and see 
> if it works then. If it does you'll probably want to create a new role 
> with more limited permissions.
>
> I would imagine that a host added this way would not appear as an 
> IPA-managed host (though adding the host first and using this to just 
> add the key should be ok).
>
> rob
The version is: freeipa-server-2.1.3-2.fc15.x86_64

The kclient script only accepts a parameter "-a adminuser", which it 
translates into "adminuser/admin". How can I add this to a IPA role?

If I attempt to work around that by using kadmin directly instead of the 
wrapper kclient script on the Solaris host, and specifying the IPA 
default "admin" account, the same message occur:


# kadmin -p admin -q "ktadd -k /etc/krb5/krb5.keytab 
host/server2.ix.test.com at IX.TEST.COM"
Authenticating as principal admin with password.
Password for admin at IX.TEST.COM:
kadmin: Insufficient access to perform requested operation while 
changing host/server2.ix.test.com at IX.TEST.COM's key


/var/kerberos/krb5kdc/kadm5.acl:
admin at IX.TEST.COM                     *


/var/log/kadmind.log:
Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request: 
kadm5_init, admin at IX.TEST.COM, success, client=admin at IX.TEST.COM, 
service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238, 
vers=2, flavor=6
Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request: 
kadm5_randkey_principal, host/server2.ix.test.com at IX.TEST.COM, User 
modification failed: Insufficient access, client=admin at IX.TEST.COM, 
service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238


Rgds,
Siggi

More information about the Freeipa-users mailing list