[Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.
Sigbjorn Lie
sigbjorn at nixtra.com
Tue Dec 18 20:48:31 UTC 2012
On 12/18/2012 06:24 AM, Johan Petersson wrote:
> Hi,
>
> Unfortunately i still get the same error from the Appliance even after having added both host and nfs principals in the IPA web interface.
>
> "failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error:
> 43787522 (Operation requires ``add'' privilege)"
>
> I get the impression that the Appliance does not recognize existing principals since i still get the same create principal error.
> So it seems that it does not cope with pre existing principals, at least not from IPA Server.
> I will contact Oracle about this issue and see what they say.
>
> Thank you for your help,
> Johan.
We have these ZFS Storage Appliances at work too. There is a way to
access the root shell of the ZFS Storage Appliance. It's been a long
time since I've done it, but a quick googelig turned up this:
http://weblogs.java.net/blog/kohsuke/archive/2009/01/under_the_hood.html
Hopefully the "scp" commands still exists when you get access to the
shell of the Solaris OS, so you can copy the pre-created keytab into
/etc/krb5/krb5.keytab.
CAUTION! The /etc/krb5/krb5.keytab is by default shared between the CIFS
server and the NFS server. This file will already contain the keytab for
the CIFS/SMB service if you have already joined the ZFS Storage
Appliance to AD. In which case copy the pre-created keytab from IPA into
/etc/krb5/krb5.keytab-IPA, and use ktutil to merge the two files together.
I see I've kept the keytab from my AD in the beginning of the file and
added the keytab from IPA to the end of the file. I do recall there
being some significance to doing it this way.
I've written this howto for NexentaStor a while back. Perhaps this will
be of some assistance to complete the configuration of the ZFS Storage
Appliance too?
https://www.redhat.com/archives/freeipa-users/2011-July/msg00033.html
Please let me know how you get on.
Regards,
Siggi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121218/82ec77d4/attachment.htm>
More information about the Freeipa-users
mailing list