[Freeipa-devel] solaris 10 x86 client instructions
Simo Sorce
ssorce at redhat.com
Thu Jan 10 22:17:16 UTC 2008
On Thu, 2008-01-10 at 14:45 -0500, Rob Crittenden wrote:
> On the IPA server do (as root):
>
> 1. edit /var/kerberos/krb5kdc/kdc.conf and remove aes256-cts:normal
> from
> supported_enctypes
> 2. service krb5kdc restart
> 3. kadmin.local
> 4. addprinc -randkey host/drew.freeipa.org at FREEIPA.ORG
> 5. ktadd -k /tmp/drew host/drew.freeipa.org at FREEIPA.ORG
> 6. quit
> 7. chmod 666 /tmp/drew
This will work, but it is really a dirty way of doing it.
First of all changing just /var/kerberos/krb5kdc/kdc.conf will make it
inconsistent with the list we store in LDAP and that's not nice.
Also this step is unnecessary as you can give ktadd the list of
encryption types you want to use IIRC.
Second, using kadmin.local you will create the service principal under
cn=kerberos and not under cn=services, until we have real computer
objects I think we should store host/fqdn principals under services.
A better procedure would be to just use ipa-getkeytab on a fedora client
where you set the preferred enctypes in /etc/krb5.conf after you create
the service principal host/fqnd at realm with the tool ipa-addservice (or
via the webui).
I am opening a ticket to myself to remember to allow to specify the list
of enctypes on the ipa-getkeytab, this will solve the problem in a more
cleaner way.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
More information about the Freeipa-devel
mailing list