[Freeipa-users] How to add 'generic' service?
Coy Hile
coy.hile at coyhile.com
Fri Mar 27 19:33:48 UTC 2015
I’m rebuilding my existing heimdal realm using FreeIPA, and right now I’m having difficulty creating the service principal afs/realm-name at REALM. When I use ipa service-add, I get output thusly:
[root at ipa-us-east-2 ~]# ipa service-add afs/coyhile.com at COYHILE.COM
ipa: ERROR: The host 'coyhile.com' does not exist to add a service to.
[root at ipa-us-east-2 ~]# ipa service-add afs/coyhile.com at COYHILE.COM --force
ipa: ERROR: The host 'coyhile.com' does not exist to add a service to.
It’s an arbitrary principal; it really shouldn’t matter…
So, being a knowledgable administrator of both MIT and Heimdal KDCs, I decided to break out kadmin.
kadmin.local: ank -randkey -e aes256-cts:normal afs/coyhile.com at COYHILE.COM
WARNING: no policy specified for afs/coyhile.com at COYHILE.COM; defaulting to no policy
add_principal: Kerberos database constraints violated while creating "afs/coyhile.com at COYHILE.COM”.
This brings up two questions:
Firstly, is there some secret sauce I have to use to make ipa do my bidding here? On a related note is there a way to restrict enctypes? Since everything that I’m dealing with is either recent Linux, recent Illumos, or (gag!) sufficiently recent Windows, I’d like to restrict everything to AES only and get rid of des3 and arcfour-hmac.
--
Coy Hile
coy.hile at coyhile.com
More information about the Freeipa-users
mailing list