[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] solaris 10 x86 client instructions



On Thu, 2008-01-10 at 14:45 -0500, Rob Crittenden wrote:
> On the IPA server do (as root):
> 
> 1. edit /var/kerberos/krb5kdc/kdc.conf and remove aes256-cts:normal
> from 
> supported_enctypes
> 2. service krb5kdc restart
> 3. kadmin.local
> 4. addprinc -randkey host/drew freeipa org FREEIPA ORG
> 5. ktadd -k /tmp/drew host/drew freeipa org FREEIPA ORG
> 6. quit
> 7. chmod 666 /tmp/drew

This will work, but it is really a dirty way of doing it.
First of all changing just  /var/kerberos/krb5kdc/kdc.conf will make it
inconsistent with the list we store in LDAP and that's not nice.

Also this step is unnecessary as you can give ktadd the list of
encryption types you want to use IIRC.

Second, using kadmin.local you will create the service principal under
cn=kerberos and not under cn=services, until we have real computer
objects I think we should store host/fqdn principals under services.

A better procedure would be to just use ipa-getkeytab on a fedora client
where you set the preferred enctypes in /etc/krb5.conf after you create
the service principal host/fqnd realm with the tool ipa-addservice (or
via the webui).

I am opening a ticket to myself to remember to allow to specify the list
of enctypes on the ipa-getkeytab, this will solve the problem in a more
cleaner way.

Simo.




-- 
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]