[Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

Simo Sorce simo at redhat.com
Tue Dec 18 02:20:59 UTC 2012 

On Tue, 2012-12-18 at 00:15 +0000, Johan Petersson wrote:
> Hi, 

Hi Johan,
see inline.

> When trying to generate a host and nfs principal + keys  from the
> Oracle ZFS 7120/7320 Appliance i get the following error message (note
> that the information pasted are from a simulator but i get exactly the
> same error from our real Appliances).
> I can't generate a key on the IPA server and copy it to the Appliance
> unfortunately it does not support that since it has a specialised
> webinterface and CLI.
> The Appliance wants to generate the principals and keys itself after i
> add the Kerberos information realm/KDC and admin principal.
> 
> 
> NTP is synced and DNS is working with reverse, no firewalls and
> SELinux disabled.
> 
> 
> I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers
> with the same results.
> 
> 
> Any ideas on what is wrong and if it is possible to get it working?
> 
> 
> 
> 
> An unanticipated system error occurred:
> 
> 
> failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error:
> 43787522 (Operation requires ``add'' privilege)
> 


we do not allow tools the permissions to perform add operations via the
kadmin interface, this is done by explicitly disallowing certin internal
DAL operations in out driver, so it is not configurable.

This is because that interface is not rich enough to provide all the
information we normally associate to principals in LDAP entries.

Does the appliance work if you pre-create the principal ?

It sounds very odd that these 'appliances' really require you to give
them credentials that have very high privileges, so high as to be able
to actually add principals into a kerberos database.
I would consider that a very serious bug and security issue in the
appliance.

Note that the kadmin interface can be allowed to change principals,
including getting a new keytab. That will require you to manually edit
the ACL file that is not normally configured as we do not need to allow
modifications via the kadmin interface in normal IPA domains.

So if this appliance can deal with just modifying a principal to get a
keytab as opposed to try to create one from scratch then you may be able
to configure FreeIPA's kadmin to do that.

> Exception type: coXmlrpcFault
> Native message: failed to create principal 'host/zfs1.home at HOME':
> libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
> Mapped stack trace:
> 
> 
> Native file: <undefined> line ?
> Native stack trace:
> Message: <none>
> Wrapped exception: <none>
> Stack trace:
> <none>
> 
> 
>     at https://192.168.0.112:215/lib/crazyolait/index.js:370:21
> Additional native members:
>     faultCode: 600
>     faultString: failed to create principal 'host/zfs1.home at HOME':
> libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
>     coStack: top.akMulticall(argv:<array> "[object Object]",
> abort:true, func:<function> "function (ret, err, idx) {\n\t\t\tif (err
> && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err,
> { set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t
> \tcommitprop(callback);\n\t\t}")
> nasServiceNFS.prototype.commit(callback:<function> "function (err) {\n
> \t\tif (akHandleFault(err, {\n\t\t    set: view.aksvc_current_set\n\t
> \t    })) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t
> \tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t
> \tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif
> (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t
> \takService.svc.setCompositeState(view.aksvc_id,\n\t\t
>  akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif
> (akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t
> \tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t
> \tcallback();\n\t\t\t}\n\t\t});\n\t}")
> akSvcView.prototype.commitToServer(enable:false, callback:<function>
> "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif
> (view.aksvc_done && !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n
> \t\t}")
> akSvcView.prototype.commit(callback:null)
> <anonymous>(<object> "[object Object]", <object> "[object
> MouseEvent]")
> <anonymous>(e:<object> "[object MouseEvent]")
> [akEventListenerWrap,click,undefined](e:<object> "[object
> MouseEvent]")
> 
> 
>     faultName: EAK_KADM5
> 
> 
> In the kadmind.log on the IPA server i get the following:
> 
> 
> Dec 17 23:12:05 server.home kadmind[3614](Notice): Request:
> kadm5_init, admin at HOME, success, client=admin at HOME,
> service=kadmin/server.home at HOME, addr=192.168.0.112, vers=2, flavor=6
> Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized
> request: kadm5_create_principal, host/zfs1.home at HOME,
> client=admin at HOME, service=kadmin/server.home at HOME, addr=192.168.0.112
> 
> 
> And in the krb5kdc.log:
> 
> 
> Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home at HOME
> for krbtgt/HOME at HOME, Client not found in Kerberos database
> Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home at HOME
> for krbtgt/HOME at HOME, Client not found in Kerberos database

All this is pretty much expected if this appliance tries to create
principals via the kadmin add API.

> 
> If i add the host in IPA i instead get:
> 
> 
> Dec 17 23:48:18 server.home krb5kdc[4016](info): ...
> CONSTRAINED-DELEGATION s4u-client=admin at HOME
> Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin at HOME for
> kadmin/server.home at HOME, Additional pre-authentication required
> Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes
> {rep=18 tkt=18 ses=18}, admin at HOME for kadmin/server.home at HOME

I see no problem in here, so does the appliance cope with pre-existing
principals ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list