[Freeipa-users] IPA + OpenAFS

Qing Chang qchang at sri.utoronto.ca
Thu Jul 12 14:24:18 UTC 2012 

On 11/07/2012 5:46 PM, Dmitri Pal wrote:
> On 07/11/2012 04:01 PM, Qing Chang wrote:
>>
>> On 11/07/2012 3:23 PM, Simo Sorce wrote:
>>> On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote:
>>>> Because the integration of Kerberos in IPA, Kerberos tools can be used
>>>> only in limited
>>>> situations, when creating afs/DOMAIN at REALM with kadmin, I got this
>>>> error:
>>>> add_principal: Kerberos database constraints violated while creating
>>>> "afs/DOMAIN at REALM"
>>>>
>>> Use ipa service-add to add services, never use kadmin.local, it will not
>>> work, we hard-coded failures in the DB driver to prevent users from
>>> doing that as kadmin doesn't know where to put and how to properly fill
>>> up objects.
>>>
>>> However you can use kadmin.local on a pre-existing principal to obtain a
>>> new keytab.
>>>
>>> Simo.
>>>
>> keytab with v4 salt was created successfully using kadmin,
>> unfortunately OpenAFS
>> still spit out th same error message:[root at smb1 ~]# fs setacl /afs
>> system:anyuser rl
>> fs: You don't have the required access rights on '/afs'
>>
>> When --force was used with ipa servcie-add to created
>> afs/DOMAIN at REALM, IPA
>> still does not like the fact the is no host entry:
>> [root at ipa2 tmp]# ipa service-add --force  afs/sri.utoronto.ca
>> ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service
>> to.
> Is there any problem of adding host entries into IPA?
> ipa host-add will create a host entry. It is not mean that you have to
> do something else with it.
I have no problem creating host entries in IPA. It looks like IPA does assume a service principal
has to have a corresponding host principal, which is reasonable in normal circumstances.
Now that I have created keytab with v4 successfully, it may have become an issue that I have
to raise on OpenAFS list.

Thanks,
Qing
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
----------

More information about the Freeipa-users mailing list