On 12/17/2012 07:15 PM, Johan Petersson wrote: > Hi, > > When trying to generate a host and nfs principal + keys from the > Oracle ZFS 7120/7320 Appliance i get the following error message (note > that the information pasted are from a simulator but i get exactly the > same error from our real Appliances). > I can't generate a key on the IPA server and copy it to the Appliance > unfortunately it does not support that since it has a specialised > webinterface and CLI. > The Appliance wants to generate the principals and keys itself after i > add the Kerberos information realm/KDC and admin principal. > > NTP is synced and DNS is working with reverse, no firewalls and > SELinux disabled. > > I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers > with the same results. > > Any ideas on what is wrong and if it is possible to get it working? > > > An unanticipated system error occurred: > > failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: > 43787522 (Operation requires ``add'' privilege)
Do you have this principal already precreated? It seems that the client tries to create a principal using its kadmin library. I am not sure it would work. The protocol we use in ipa-getkeytab is not a kadmin protocol. As far as I recall it does an LDAP extended operation. > > Exception type: coXmlrpcFault > Native message: failed to create principal 'host/zfs1.home@HOME': > libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > Mapped stack trace: > > Native file: <undefined> line ? > Native stack trace: > Message: <none> > Wrapped exception: <none> > Stack trace: > <none> > > at https://192.168.0.112:215/lib/crazyolait/index.js:370:21 > Additional native members: > faultCode: 600 > faultString: failed to create principal 'host/zfs1.home@HOME': > libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > coStack: top.akMulticall(argv:<array> "[object Object]", > abort:true, func:<function> "function (ret, err, idx) {\n\t\t\tif (err > && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { > set: widget.aknsn_vs > });\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}") > nasServiceNFS.prototype.commit(callback:<function> "function (err) > {\n\t\tif (akHandleFault(err, {\n\t\t set: > view.aksvc_current_set\n\t\t })) {\n\t\t\tif > (callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t > */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif > (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t > akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif > (akHandleFault(err)) {\n\t\t\t\tif > (callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif > (callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}") > akSvcView.prototype.commitToServer(enable:false, callback:<function> > "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif > (view.aksvc_done && > !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}") > akSvcView.prototype.commit(callback:null) > <anonymous>(<object> "[object Object]", <object> "[object MouseEvent]") > <anonymous>(e:<object> "[object MouseEvent]") > [akEventListenerWrap,click,undefined](e:<object> "[object MouseEvent]") > > faultName: EAK_KADM5 > > In the kadmind.log on the IPA server i get the following: > > Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: > kadm5_init, admin@HOME, success, client=admin@HOME, > service=kadmin/server.home@HOME, addr=192.168.0.112, vers=2, flavor=6 > Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized > request: kadm5_create_principal, host/zfs1.home@HOME, > client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112 > > And in the krb5kdc.log: > > Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME > for krbtgt/HOME@HOME, Client not found in Kerberos database > Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home@HOME > for krbtgt/HOME@HOME, Client not found in Kerberos database > > If i add the host in IPA i instead get: > > Dec 17 23:48:18 server.home krb5kdc[4016](info): ... > CONSTRAINED-DELEGATION s4u-client=admin@HOME > Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin@HOME for > kadmin/server.home@HOME, Additional pre-authentication required > Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes > {rep=18 tkt=18 ses=18}, admin@HOME for kadmin/server.home@HOME > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
