[Freeipa-users] IPA + OpenAFS
Qing Chang
qchang at sri.utoronto.ca
Wed Jul 11 20:01:28 UTC 2012
On 11/07/2012 3:23 PM, Simo Sorce wrote:
> On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote:
>> Because the integration of Kerberos in IPA, Kerberos tools can be used
>> only in limited
>> situations, when creating afs/DOMAIN at REALM with kadmin, I got this
>> error:
>> add_principal: Kerberos database constraints violated while creating
>> "afs/DOMAIN at REALM"
>>
> Use ipa service-add to add services, never use kadmin.local, it will not
> work, we hard-coded failures in the DB driver to prevent users from
> doing that as kadmin doesn't know where to put and how to properly fill
> up objects.
>
> However you can use kadmin.local on a pre-existing principal to obtain a
> new keytab.
>
> Simo.
>
keytab with v4 salt was created successfully using kadmin, unfortunately OpenAFS
still spit out th same error message:[root at smb1 ~]# fs setacl /afs system:anyuser rl
fs: You don't have the required access rights on '/afs'
When --force was used with ipa servcie-add to created afs/DOMAIN at REALM, IPA
still does not like the fact the is no host entry:
[root at ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca
ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service to.
Thanks,
Qing
More information about the Freeipa-users
mailing list