[Freeipa-users] IPA + OpenAFS
Qing Chang
qchang at sri.utoronto.ca
Thu Jul 12 19:14:54 UTC 2012
On 11/07/2012 5:46 PM, Dmitri Pal wrote:
> On 07/11/2012 04:01 PM, Qing Chang wrote:
>>
>> On 11/07/2012 3:23 PM, Simo Sorce wrote:
>>> On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote:
>>>> Because the integration of Kerberos in IPA, Kerberos tools can be used
>>>> only in limited
>>>> situations, when creating afs/DOMAIN at REALM with kadmin, I got this
>>>> error:
>>>> add_principal: Kerberos database constraints violated while creating
>>>> "afs/DOMAIN at REALM"
>>>>
>>> Use ipa service-add to add services, never use kadmin.local, it will not
>>> work, we hard-coded failures in the DB driver to prevent users from
>>> doing that as kadmin doesn't know where to put and how to properly fill
>>> up objects.
>>>
>>> However you can use kadmin.local on a pre-existing principal to obtain a
>>> new keytab.
>>>
>>> Simo.
>>>
>> keytab with v4 salt was created successfully using kadmin,
>> unfortunately OpenAFS
>> still spit out th same error message:[root at smb1 ~]# fs setacl /afs
>> system:anyuser rl
>> fs: You don't have the required access rights on '/afs'
>>
>> When --force was used with ipa servcie-add to created
>> afs/DOMAIN at REALM, IPA
>> still does not like the fact the is no host entry:
>> [root at ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca
>> ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service
>> to.
sorry for my ignorance, ktadd accepted -e des-cbc-crc:v4 but created keytab with no salt:
=====
kadmin.local: ktadd -e des-cbc-crc:v4 -k /tmp/openafs afs/openafs.sri.utoronto.ca
Entry for principal afs/openafs.sri.utoronto.ca with kvno 20, encryption type des-cbc-crc added to
keytab WRFILE:/tmp/openafs.
kadmin.local: getprinc afs/openafs.sri.utoronto.ca
Principal: afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA
Expiration date: [never]
Last password change: Thu Jul 12 15:08:16 EDT 2012
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 12 15:08:16 EDT 2012 (admin/admin at SRI.UTORONTO.CA)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 20, des-cbc-crc, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
=====
I also tried ":normal" and ":afs3", no salts added for any types. Is the IPA
code not doing it, or I am missing something?
Thanks,
Qing
> Is there any problem of adding host entries into IPA?
> ipa host-add will create a host entry. It is not mean that you have to
> do something else with it.
>
>> Thanks,
>> Qing
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120712/578ad20d/attachment.htm>
More information about the Freeipa-users
mailing list