[Freeipa-users] IPA + OpenAFS
Simo Sorce
simo at redhat.com
Wed Jul 11 19:21:15 UTC 2012
On Wed, 2012-07-11 at 15:10 -0400, Dan Scott wrote:
> Hi,
>
> On Wed, Jul 11, 2012 at 3:04 PM, Qing Chang <qchang at sri.utoronto.ca> wrote:
> > I agree with you that OpenAFS should implement better enctype. I'll raise it
> > on their list. In the mean time, this is a block, do you have an estimate
> > how
> > long it takes to have the addition of v4 get into RHEL 6.3? I am asking
> > because
> > we are moving from LDAP+Kerberos+Smaba+Kerberized NFSv4 to IPA+OpenAFS
> > to our new infrastructure by end of July.
>
> Is it really a block? I run IPA with OpenAFS. I used the kadmin
> utility to extract the keytab (I think - this was quite a while ago).
> The ipa-getkeytab utility is nice, but not required. Or am I missing
> something?
>
> > There is another issue, by convention OpenAFS service principal is created
> > as
> > afs/DOMAIN at REALM. IPA does not support creating a service principal without
> > first having a corresponding host principal, eg, afs/FQDN at REALM. Is it
> > possible
> > to add the flexibility in IPA to create an arbitrary service principal,
> > which can be
> > done with a standalone Kerberos KDC?
you can use the --force flag to force the creation of an arbitrary
service principal.
> Again, you don't have to use the IPA tools. You can use the Kerberos
> server tools.
Using kadmin.local is really not recommended with IPA normally, but
maybe it can be used as a temporary workaround in this case.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list