[Freeipa-users] nsupdate refused
Petr Spacek
pspacek at redhat.com
Mon Apr 29 08:04:55 UTC 2013
Hello,
On 28.4.2013 19:50, Jakub Hrozek wrote:
>> > >get a single machine to be able to perform any update, and have this as
>> > >one of the entries in my "bind update policy":
>> > >grant SERVICE\047foreman.collmedia.net at COLLMEDIA.NET wildcard * ANY;
String "SERVICE/ipaserver.example.com at EXAMPLE.COM" in the example is full
principal name including Kerberos REALM. The string "SERVICE" has to be
replaced with real service name.
Everything is case sensitive!
See http://www.zytrax.com/tech/survival/kerberos.html#terminology for some
Kerberos basics.
>>Your zone update policy should include something like "grant
>>host/\047foreman.collmedia.net at COLLMEDIA.NET wildcard * ANY;"
This example contains an error: Character '/' in principal name has be to
replaced with "\047". The corrected example is:
"grant host\047foreman.collmedia.net at COLLMEDIA.NET wildcard * ANY;"
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list