[Freeipa-users] howto modify krb principal attributes without kadmin.local
Thomas Jackson
tomj at syn-packet.com
Wed May 16 22:08:34 UTC 2012
On Tue, May 15, 2012 at 3:24 PM, Simo Sorce <simo at redhat.com> wrote:
> On Tue, 2012-05-15 at 14:21 -0700, Thomas Jackson wrote:
> > So going through the documentation it's clearly laid out not to use
> > kadmin or kadmin.local when using freeipa. I have been unable to find
> > how to replace this functionality in the documentation.
> >
> > If I could use kadmin.local on my kdc I would like to run the
> > following command....
> >
> > modprinc +requires_hwauth user
> >
> > Am I going to need to extend/modify the krb5 schema to modify
> > principals attributes in this way?
> >
> For this specific change you can use kadmin.local, but the IPA UI will
> not report you anything about it.
>
> The flags part is still a weak point of the Web UI, if you want you can
> open a RFE ticket to ask for better support for these flags, we need to
> do it at some point we simply haven't yet as we concentrated on more
> important and pressing issue this far.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
The following errors lead me to believe I am missing something as
kadmin.local appears to have access issues when trying to modify a
principle.
kadmin.local: modprinc +requires_hwauth user
modify_principal: User modification failed: Insufficient access while
modifying "user".
For good measure I've modified /var/kerberos/krb5kdc/kadm5.
acl with the correct ACLs for the domain and still encounter the same
errors.
-ipa 2.1.3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120516/cd517da8/attachment.htm>
More information about the Freeipa-users
mailing list