I’m rebuilding my existing heimdal realm using FreeIPA, and right now I’m having difficulty creating the service principal afs/realm-name@REALM. When I use ipa service-add, I get output thusly:
[root@ipa-us-east-2 ~]# ipa service-add afs/coyhile....@coyhile.com ipa: ERROR: The host 'coyhile.com' does not exist to add a service to. [root@ipa-us-east-2 ~]# ipa service-add afs/coyhile....@coyhile.com --force ipa: ERROR: The host 'coyhile.com' does not exist to add a service to. It’s an arbitrary principal; it really shouldn’t matter… So, being a knowledgable administrator of both MIT and Heimdal KDCs, I decided to break out kadmin. kadmin.local: ank -randkey -e aes256-cts:normal afs/coyhile....@coyhile.com WARNING: no policy specified for afs/coyhile....@coyhile.com; defaulting to no policy add_principal: Kerberos database constraints violated while creating "afs/coyhile....@coyhile.com”. This brings up two questions: Firstly, is there some secret sauce I have to use to make ipa do my bidding here? On a related note is there a way to restrict enctypes? Since everything that I’m dealing with is either recent Linux, recent Illumos, or (gag!) sufficiently recent Windows, I’d like to restrict everything to AES only and get rid of des3 and arcfour-hmac. -- Coy Hile coy.h...@coyhile.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project