[Freeipa-users] unable to add service principle from F17

Rob Crittenden rcritten at redhat.com
Mon Jun 25 21:37:20 UTC 2012


Dale Macartney wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 25/06/12 19:53, Rob Crittenden wrote:
>> Dale Macartney wrote:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Hi all
>>>
>>> I have a RHEL 6.2 ipa domain and I am running through one of my known
>>> working kickstarts for kerberised squid but instead of using RHEL i'm
>>> setting it up on Fedora 17.
>>>
>>> I get the following error on the fedora system which has
>>> freeipa-admintools installed
>>>
>>> [root at proxy02 ~]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: admin at EXAMPLE.COM
>>>
>>> Valid starting Expires Service principal
>>> 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>> [root at proxy02 ~]# ipa service-add HTTP/$(hostname)
>>> ipa: ERROR: did not receive Kerberos credentials
>>> [root at proxy02 ~]# ipa service-add HTTP/proxy02.example.com
>>> ipa: ERROR: did not receive Kerberos credentials
>>> [root at proxy02 ~]#
>>>
>>>
>>>
>>> Nothing appears in the logs apart from
>>>
>>> ==>  /var/log/messages<==
>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884
>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001428
>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001013
>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001230
>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>>>
>>>
>>> Any ideas?
>>>
>>> This doesn't block me from what I am trying to achieve as I can add the
>>> service principle from the IPA server. Just thought I might ask the
>>> question.
>>
>> What version of client and server?
>>
>> rob
>
> Server details
>
> [root at ds01 ~]# yum info ipa-server
> Loaded plugins: product-id, security, subscription-manager
> Updating certificate-based repositories.
> Installed Packages
> Name        : ipa-server
> Arch        : x86_64
> Version     : 2.1.3
> Release     : 9.el6
> Size        : 3.2 M
> Repo        : installed
> - From repo   : Red Hat Enterprise Linux
> Summary     : The IPA authentication server
> URL         : http://www.freeipa.org/
> License     : GPLv3+
> Description : IPA is an integrated solution to provide centrally managed
> Identity (machine,
>              : user, virtual machines, groups, authentication
> credentials), Policy
>              : (configuration settings, access control information) and
> Audit (events,
>              : logs, analysis thereof). If you are installing an IPA
> server you need
>              : to install this package (in other words, most people
> should NOT install
>              : this package).
>
>
> Client details
>
> [root at proxy02 ~]# yum info freeipa-client
> Loaded plugins: langpacks, presto, refresh-packagekit
> Installed Packages
> Name        : freeipa-client
> Arch        : x86_64
> Version     : 2.2.0
> Release     : 1.fc17
> Size        : 239 k
> Repo        : installed
> - From repo   : fedora
> Summary     : IPA authentication for use on clients
> URL         : http://www.freeipa.org/
> Licence     : GPLv3+
> Description : IPA is an integrated solution to provide centrally managed
> Identity (machine,
>              : user, virtual machines, groups, authentication
> credentials), Policy
>              : (configuration settings, access control information) and
> Audit (events,
>              : logs, analysis thereof). If your network uses IPA for
> authentication,
>              : this package should be installed on every client machine.
>
> [root at proxy02 ~]# yum info freeipa-admintools
> Loaded plugins: langpacks, presto, refresh-packagekit
> Installed Packages
> Name        : freeipa-admintools
> Arch        : x86_64
> Version     : 2.2.0
> Release     : 1.fc17
> Size        : 43 k
> Repo        : installed
> - From repo   : fedora
> Summary     : IPA administrative tools
> URL         : http://www.freeipa.org/
> Licence     : GPLv3+
> Description : IPA is an integrated solution to provide centrally managed
> Identity (machine,
>              : user, virtual machines, groups, authentication
> credentials), Policy
>              : (configuration settings, access control information) and
> Audit (events,
>              : logs, analysis thereof). This package provides
> command-line tools for
>              : IPA administrators.
>
> [root at proxy02 ~]#

Use the --delegate flag in the ipa tool. The 2.2 servers use S4U2Proxy 
so sending the TGT is no longer required as it was pre 2.2.

# ipa --delegate service-add HTTP/$(hostname)

rob




More information about the Freeipa-users mailing list