[Freeipa-users] How to add 'generic' service?

[Rob Crittenden]

Coy Hile wrote:
> I’m rebuilding my existing heimdal realm using FreeIPA, and right now I’m having difficulty creating the service principal afs/realm-name at REALM. When I use ipa service-add, I get output thusly:
> 
> [root at ipa-us-east-2 ~]# ipa service-add afs/coyhile.com at COYHILE.COM
> ipa: ERROR: The host 'coyhile.com' does not exist to add a service to.
> [root at ipa-us-east-2 ~]# ipa service-add afs/coyhile.com at COYHILE.COM --force
> ipa: ERROR: The host 'coyhile.com' does not exist to add a service to.
> 
> It’s an arbitrary principal; it really shouldn’t matter…

You need to create the host coyhile.com first. 	

> So, being a knowledgable administrator of both MIT and Heimdal KDCs, I decided to break out kadmin.
> 
> 
> kadmin.local:  ank -randkey -e aes256-cts:normal afs/coyhile.com at COYHILE.COM
> WARNING: no policy specified for afs/coyhile.com at COYHILE.COM; defaulting to no policy
> add_principal: Kerberos database constraints violated while creating "afs/coyhile.com at COYHILE.COM”.

Probably same reason. We don't recommend using kadmin.local in general.

> 
> This brings up two questions:
> 
> Firstly, is there some secret sauce I have to use to make ipa do my bidding here?  On a related note is there a way to restrict enctypes?  Since everything that I’m dealing with is either recent Linux, recent Illumos, or (gag!) sufficiently recent Windows, I’d like to restrict everything to AES only and get rid of des3 and arcfour-hmac.

You can manage the default and enabled encryption types in
cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com

I'm not sure if the KDC reads these on the fly so you may want to
restart it after modifying the values.

Or you can control what encryption types are used in keytabs using the
-e option to ipa-getkeytab.

A couple of keytabs are issued during install that will have other keys
so you may want/need to fetch new keytabs if you change the defaults.

rob