[Freeipa-users] IPA + OpenAFS
Dmitri Pal
dpal at redhat.com
Wed Jul 11 21:46:53 UTC 2012
On 07/11/2012 04:01 PM, Qing Chang wrote:
>
>
> On 11/07/2012 3:23 PM, Simo Sorce wrote:
>> On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote:
>>> Because the integration of Kerberos in IPA, Kerberos tools can be used
>>> only in limited
>>> situations, when creating afs/DOMAIN at REALM with kadmin, I got this
>>> error:
>>> add_principal: Kerberos database constraints violated while creating
>>> "afs/DOMAIN at REALM"
>>>
>> Use ipa service-add to add services, never use kadmin.local, it will not
>> work, we hard-coded failures in the DB driver to prevent users from
>> doing that as kadmin doesn't know where to put and how to properly fill
>> up objects.
>>
>> However you can use kadmin.local on a pre-existing principal to obtain a
>> new keytab.
>>
>> Simo.
>>
> keytab with v4 salt was created successfully using kadmin,
> unfortunately OpenAFS
> still spit out th same error message:[root at smb1 ~]# fs setacl /afs
> system:anyuser rl
> fs: You don't have the required access rights on '/afs'
>
> When --force was used with ipa servcie-add to created
> afs/DOMAIN at REALM, IPA
> still does not like the fact the is no host entry:
> [root at ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca
> ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service
> to.
Is there any problem of adding host entries into IPA?
ipa host-add will create a host entry. It is not mean that you have to
do something else with it.
>
> Thanks,
> Qing
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list