[Freeipa-users] Solaris kerberos - fail
Rob Crittenden
rcritten at redhat.com
Wed Feb 15 20:34:29 UTC 2012
Sigbjorn Lie wrote:
> On 02/15/2012 09:06 PM, Rob Crittenden wrote:
>> You might try adding soladmin to the Host Administrators role and see
>> if it works then. If it does you'll probably want to create a new role
>> with more limited permissions.
>>
>> I would imagine that a host added this way would not appear as an
>> IPA-managed host (though adding the host first and using this to just
>> add the key should be ok).
>>
>> rob
> The version is: freeipa-server-2.1.3-2.fc15.x86_64
>
> The kclient script only accepts a parameter "-a adminuser", which it
> translates into "adminuser/admin". How can I add this to a IPA role?
>
> If I attempt to work around that by using kadmin directly instead of the
> wrapper kclient script on the Solaris host, and specifying the IPA
> default "admin" account, the same message occur:
>
>
> # kadmin -p admin -q "ktadd -k /etc/krb5/krb5.keytab
> host/server2.ix.test.com at IX.TEST.COM"
> Authenticating as principal admin with password.
> Password for admin at IX.TEST.COM:
> kadmin: Insufficient access to perform requested operation while
> changing host/server2.ix.test.com at IX.TEST.COM's key
>
>
> /var/kerberos/krb5kdc/kadm5.acl:
> admin at IX.TEST.COM *
>
>
> /var/log/kadmind.log:
> Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request:
> kadm5_init, admin at IX.TEST.COM, success, client=admin at IX.TEST.COM,
> service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238,
> vers=2, flavor=6
> Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request:
> kadm5_randkey_principal, host/server2.ix.test.com at IX.TEST.COM, User
> modification failed: Insufficient access, client=admin at IX.TEST.COM,
> service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238
To be honest, the whole section about kclient, kadmin, etc is new to me
as well. I don't know when that was added. We'll investigate that, sorry
about the confusion.
These problems are likely related to the fact that kadmin assumes a
different DIT than IPA. We don't recommend kadmin be used.
We recommend using ipa-getkeytab on a Linux box and retrieving the
keytab that way. Yes, this is less than convenient.
On Solaris 10 you may have a fighting chance of building ipa-getkeytab
natively. I seem to recall a bunch of optional packages to add various
LDAP and compiler parts you'd need but it is less than ideal. I had
absolutely no luck on Solaris 9 without having to compile everything myself.
rob
More information about the Freeipa-users
mailing list