[Freeipa-users] Solaris kerberos - fail
Sigbjorn Lie
sigbjorn at nixtra.com
Wed Feb 15 21:53:30 UTC 2012
On 02/15/2012 09:34 PM, Rob Crittenden wrote:
> Sigbjorn Lie wrote:
>> On 02/15/2012 09:06 PM, Rob Crittenden wrote:
>>> You might try adding soladmin to the Host Administrators role and see
>>> if it works then. If it does you'll probably want to create a new role
>>> with more limited permissions.
>>>
>>> I would imagine that a host added this way would not appear as an
>>> IPA-managed host (though adding the host first and using this to just
>>> add the key should be ok).
>>>
>>> rob
>> The version is: freeipa-server-2.1.3-2.fc15.x86_64
>>
>> The kclient script only accepts a parameter "-a adminuser", which it
>> translates into "adminuser/admin". How can I add this to a IPA role?
>>
>> If I attempt to work around that by using kadmin directly instead of the
>> wrapper kclient script on the Solaris host, and specifying the IPA
>> default "admin" account, the same message occur:
>>
>>
>> # kadmin -p admin -q "ktadd -k /etc/krb5/krb5.keytab
>> host/server2.ix.test.com at IX.TEST.COM"
>> Authenticating as principal admin with password.
>> Password for admin at IX.TEST.COM:
>> kadmin: Insufficient access to perform requested operation while
>> changing host/server2.ix.test.com at IX.TEST.COM's key
>>
>>
>> /var/kerberos/krb5kdc/kadm5.acl:
>> admin at IX.TEST.COM *
>>
>>
>> /var/log/kadmind.log:
>> Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request:
>> kadm5_init, admin at IX.TEST.COM, success, client=admin at IX.TEST.COM,
>> service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238,
>> vers=2, flavor=6
>> Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request:
>> kadm5_randkey_principal, host/server2.ix.test.com at IX.TEST.COM, User
>> modification failed: Insufficient access, client=admin at IX.TEST.COM,
>> service=kadmin/ipa01.ix.test.com at IX.TEST.COM, addr=192.168.1.238
>
> To be honest, the whole section about kclient, kadmin, etc is new to
> me as well. I don't know when that was added. We'll investigate that,
> sorry about the confusion.
>
Ok, so it's not just me that was new for. :)
> These problems are likely related to the fact that kadmin assumes a
> different DIT than IPA. We don't recommend kadmin be used.
>
Yes, I was a bit surprised when I noticed this in the documentation
given other postings on the list where use of kadmin and kadmin.local is
advised to be not supported.
> We recommend using ipa-getkeytab on a Linux box and retrieving the
> keytab that way. Yes, this is less than convenient.
>
This was my original plan, retreiving all the keytabs for Solaris hosts
on one of the IPA servers, and then distribute them to the Solaris hosts
using CFengine.
> On Solaris 10 you may have a fighting chance of building ipa-getkeytab
> natively. I seem to recall a bunch of optional packages to add various
> LDAP and compiler parts you'd need but it is less than ideal. I had
> absolutely no luck on Solaris 9 without having to compile everything
> myself.
I remember I did give that a go a while back. Gave up pretty quickly
though. I think I will stick with my original plan of distributing
keytabs for Solaris using CFengine. :)
Thanks.
Regards,
Siggi
More information about the Freeipa-users
mailing list