[Freeipa-users] Solaris kerberos - fail
Sigbjorn Lie
sigbjorn at nixtra.com
Wed Feb 15 23:07:15 UTC 2012
On 02/15/2012 11:51 PM, Simo Sorce wrote:
> On Wed, 2012-02-15 at 22:55 +0100, Sigbjorn Lie wrote:
>> On 02/15/2012 09:32 PM, Simo Sorce wrote:
>>> On Wed, 2012-02-15 at 20:49 +0100, Sigbjorn Lie wrote:
>>>> Hi,
>>>>
>>>> I see that the documentation for configuring kerberos on Solaris has
>>>> changed since the last time I looked.
>>>>
>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
>>>>
>>>> kclient fails if I pre-create the account in IPA, and attempt to kclient
>>>> configure the client. If I don't, it successfully retreives a keytab for
>>>> the host, but I'm unable to add the host as a host in IPA as the
>>>> kerberos principal is already used.
>>>>
>>>> I suppose there is a LDAP ACL preventing me from doing this?
>>>>
>>>> Can I work around this somehow, having the host account in IPA and using
>>>> kclient to configure Solaris hosts at the same time?
>>> Sigbjorn,
>>> running kadmind in FreeIPA< 2.2 is completely unsupported and there are
>>> ACLs that explicitly prevent it from changing data in LDAP.
>>>
>>> I will investigate about those instructions and correct them as
>>> necessary, they appear incorrect.
>> Yes, I was a bit surprised when I noticed this in the documentation
>> given other postings on the list where use of kadmin and kadmin.local is
>> advised to be not supported.
>>
>> Does something change in 2.2 and upwards to support the use of kadmin ?
> Yes and no.
>
> In 2.2 we have our own kdb backend and we decided to retire ipa_kpasswd
> and use kadmind instead.
> But I still prevent kadmin from doing a lot of operations, because
> kadmind has no clue how to properly create an ipa computer object or an
> ipa user.
>
> In time we may teach kadmin how to properly handle some of the
> principals, but for now I am simply preventing it from messing up the
> tree by crating bare principals in the wrong place, with the wrong (or
> missing) data attached to it.
Would it be possible to allow it to retreive a keytab for already
existing accounts?
Regards,
Siggi
More information about the Freeipa-users
mailing list