subject:"\[Freeipa\-users\] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA\/Free IPA."

Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

2012-12-18 Thread Johan Petersson

I pursued that idea myself earlier but when getting the huge warranty void 
message when accessing a shell + that the file system was read-only i gave up.
I will definitely look at it again and read the information you provided, thank 
you for your help.

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Tuesday, December 18, 2012 21:48
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance 
host and nfs principals and keys to IPA/Free IPA.

On 12/18/2012 06:24 AM, Johan Petersson wrote:

Hi,

Unfortunately i still get the same error from the Appliance even after having 
added both host and nfs principals in the IPA web interface.

"failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error:
 43787522 (Operation requires ``add'' privilege)"

I get the impression that the Appliance does not recognize existing principals 
since i still get the same create principal error.
So it seems that it does not cope with pre existing principals, at least not 
from IPA Server.
I will contact Oracle about this issue and see what they say.

Thank you for your help,
Johan.

We have these ZFS Storage Appliances at work too. There is a way to access the 
root shell of the ZFS Storage Appliance. It's been a long time since I've done 
it, but a quick googelig turned up this:

http://weblogs.java.net/blog/kohsuke/archive/2009/01/under_the_hood.html

Hopefully the "scp" commands still exists when you get access to the shell of 
the Solaris OS, so you can copy the pre-created keytab into 
/etc/krb5/krb5.keytab.

CAUTION! The /etc/krb5/krb5.keytab is by default shared between the CIFS server 
and the NFS server. This file will already contain the keytab for the CIFS/SMB 
service if you have already joined the ZFS Storage Appliance to AD. In which 
case copy the pre-created keytab from IPA into /etc/krb5/krb5.keytab-IPA, and 
use ktutil to merge the two files together.

I see I've kept the keytab from my AD in the beginning of the file and added 
the keytab from IPA to the end of the file. I do recall there being some 
significance to doing it this way.

I've written this howto  for NexentaStor a while back. Perhaps this will be of 
some assistance to complete the configuration of the ZFS Storage Appliance too?

https://www.redhat.com/archives/freeipa-users/2011-July/msg00033.html

Please let me know how you get on.

Regards,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

2012-12-18 Thread Sigbjorn Lie


On 12/18/2012 06:24 AM, Johan Petersson wrote:

Hi,

Unfortunately i still get the same error from the Appliance even after having 
added both host and nfs principals in the IPA web interface.

"failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error:
  43787522 (Operation requires ``add'' privilege)"

I get the impression that the Appliance does not recognize existing principals 
since i still get the same create principal error.
So it seems that it does not cope with pre existing principals, at least not 
from IPA Server.
I will contact Oracle about this issue and see what they say.

Thank you for your help,
Johan.


We have these ZFS Storage Appliances at work too. There is a way to 
access the root shell of the ZFS Storage Appliance. It's been a long 
time since I've done it, but a quick googelig turned up this:


http://weblogs.java.net/blog/kohsuke/archive/2009/01/under_the_hood.html

Hopefully the "scp" commands still exists when you get access to the 
shell of the Solaris OS, so you can copy the pre-created keytab into 
/etc/krb5/krb5.keytab.


CAUTION! The /etc/krb5/krb5.keytab is by default shared between the CIFS 
server and the NFS server. This file will already contain the keytab for 
the CIFS/SMB service if you have already joined the ZFS Storage 
Appliance to AD. In which case copy the pre-created keytab from IPA into 
/etc/krb5/krb5.keytab-IPA, and use ktutil to merge the two files together.


I see I've kept the keytab from my AD in the beginning of the file and 
added the keytab from IPA to the end of the file. I do recall there 
being some significance to doing it this way.


I've written this howto for NexentaStor a while back. Perhaps this will 
be of some assistance to complete the configuration of the ZFS Storage 
Appliance too?


https://www.redhat.com/archives/freeipa-users/2011-July/msg00033.html

Please let me know how you get on.



Regards,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

2012-12-18 Thread Simo Sorce

On Tue, 2012-12-18 at 05:24 +, Johan Petersson wrote:
> Hi,
> 
> Unfortunately i still get the same error from the Appliance even after having 
> added both host and nfs principals in the IPA web interface.
> 
> "failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error:
>  43787522 (Operation requires ``add'' privilege)"
> 
> I get the impression that the Appliance does not recognize existing 
> principals since i still get the same create principal error.
> So it seems that it does not cope with pre existing principals, at least not 
> from IPA Server.
> I will contact Oracle about this issue and see what they say.

Is there any support for using this appliance in an Active Directory
domain ? It is possible that they have alternative instructions there.
IIRC AD also does not allow you to create principals via the kadmin
interface. However they may have tied the 'AD option; if any in knots so
that it also doesn't work with anything but a real AD.

IT would be nice to hear how Oracle justifies requiring high credentials
on an appliance otherwise.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

2012-12-17 Thread Johan Petersson

Hi,

Unfortunately i still get the same error from the Appliance even after having 
added both host and nfs principals in the IPA web interface.

"failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error:
 43787522 (Operation requires ``add'' privilege)"

I get the impression that the Appliance does not recognize existing principals 
since i still get the same create principal error.
So it seems that it does not cope with pre existing principals, at least not 
from IPA Server.
I will contact Oracle about this issue and see what they say.

Thank you for your help,
Johan.

From: Simo Sorce [s...@redhat.com]
Sent: Tuesday, December 18, 2012 03:20
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance 
host and nfs principals and keys to IPA/Free IPA.

On Tue, 2012-12-18 at 00:15 +, Johan Petersson wrote:
> Hi,

Hi Johan,
see inline.

> When trying to generate a host and nfs principal + keys  from the
> Oracle ZFS 7120/7320 Appliance i get the following error message (note
> that the information pasted are from a simulator but i get exactly the
> same error from our real Appliances).
> I can't generate a key on the IPA server and copy it to the Appliance
> unfortunately it does not support that since it has a specialised
> webinterface and CLI.
> The Appliance wants to generate the principals and keys itself after i
> add the Kerberos information realm/KDC and admin principal.
>
>
> NTP is synced and DNS is working with reverse, no firewalls and
> SELinux disabled.
>
>
> I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers
> with the same results.
>
>
> Any ideas on what is wrong and if it is possible to get it working?
>
>
>
>
> An unanticipated system error occurred:
>
>
> failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error:
> 43787522 (Operation requires ``add'' privilege)
>

we do not allow tools the permissions to perform add operations via the
kadmin interface, this is done by explicitly disallowing certin internal
DAL operations in out driver, so it is not configurable.

This is because that interface is not rich enough to provide all the
information we normally associate to principals in LDAP entries.

Does the appliance work if you pre-create the principal ?

It sounds very odd that these 'appliances' really require you to give
them credentials that have very high privileges, so high as to be able
to actually add principals into a kerberos database.
I would consider that a very serious bug and security issue in the
appliance.

Note that the kadmin interface can be allowed to change principals,
including getting a new keytab. That will require you to manually edit
the ACL file that is not normally configured as we do not need to allow
modifications via the kadmin interface in normal IPA domains.

So if this appliance can deal with just modifying a principal to get a
keytab as opposed to try to create one from scratch then you may be able
to configure FreeIPA's kadmin to do that.

> Exception type: coXmlrpcFault
> Native message: failed to create principal 'host/zfs1.home@HOME':
> libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
> Mapped stack trace:
>
>
> Native file:  line ?
> Native stack trace:
> Message: 
> Wrapped exception: 
> Stack trace:
> 
>
>
> at https://192.168.0.112:215/lib/crazyolait/index.js:370:21
> Additional native members:
> faultCode: 600
> faultString: failed to create principal 'host/zfs1.home@HOME':
> libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
> coStack: top.akMulticall(argv: "[object Object]",
> abort:true, func: "function (ret, err, idx) {\n\t\t\tif (err
> && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err,
> { set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t
> \tcommitprop(callback);\n\t\t}")
> nasServiceNFS.prototype.commit(callback: "function (err) {\n
> \t\tif (akHandleFault(err, {\n\t\tset: view.aksvc_current_set\n\t
> \t})) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t
> \tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t
> \tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif
> (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t
> \takService.svc.setCompositeState(view.aksvc_id,\n\t\t
>  akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif
> (akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t
> \tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t
> \tcallback();\n\t\t\t}\n\t\t});\n\t}")
> ak

Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

2012-12-17 Thread Simo Sorce

On Tue, 2012-12-18 at 00:15 +, Johan Petersson wrote:
> Hi, 

Hi Johan,
see inline.

> When trying to generate a host and nfs principal + keys  from the
> Oracle ZFS 7120/7320 Appliance i get the following error message (note
> that the information pasted are from a simulator but i get exactly the
> same error from our real Appliances).
> I can't generate a key on the IPA server and copy it to the Appliance
> unfortunately it does not support that since it has a specialised
> webinterface and CLI.
> The Appliance wants to generate the principals and keys itself after i
> add the Kerberos information realm/KDC and admin principal.
> 
> 
> NTP is synced and DNS is working with reverse, no firewalls and
> SELinux disabled.
> 
> 
> I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers
> with the same results.
> 
> 
> Any ideas on what is wrong and if it is possible to get it working?
> 
> 
> 
> 
> An unanticipated system error occurred:
> 
> 
> failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error:
> 43787522 (Operation requires ``add'' privilege)
> 


we do not allow tools the permissions to perform add operations via the
kadmin interface, this is done by explicitly disallowing certin internal
DAL operations in out driver, so it is not configurable.

This is because that interface is not rich enough to provide all the
information we normally associate to principals in LDAP entries.

Does the appliance work if you pre-create the principal ?

It sounds very odd that these 'appliances' really require you to give
them credentials that have very high privileges, so high as to be able
to actually add principals into a kerberos database.
I would consider that a very serious bug and security issue in the
appliance.

Note that the kadmin interface can be allowed to change principals,
including getting a new keytab. That will require you to manually edit
the ACL file that is not normally configured as we do not need to allow
modifications via the kadmin interface in normal IPA domains.

So if this appliance can deal with just modifying a principal to get a
keytab as opposed to try to create one from scratch then you may be able
to configure FreeIPA's kadmin to do that.

> Exception type: coXmlrpcFault
> Native message: failed to create principal 'host/zfs1.home@HOME':
> libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
> Mapped stack trace:
> 
> 
> Native file:  line ?
> Native stack trace:
> Message: 
> Wrapped exception: 
> Stack trace:
> 
> 
> 
> at https://192.168.0.112:215/lib/crazyolait/index.js:370:21
> Additional native members:
> faultCode: 600
> faultString: failed to create principal 'host/zfs1.home@HOME':
> libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
> coStack: top.akMulticall(argv: "[object Object]",
> abort:true, func: "function (ret, err, idx) {\n\t\t\tif (err
> && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err,
> { set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t
> \tcommitprop(callback);\n\t\t}")
> nasServiceNFS.prototype.commit(callback: "function (err) {\n
> \t\tif (akHandleFault(err, {\n\t\tset: view.aksvc_current_set\n\t
> \t})) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t
> \tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t
> \tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif
> (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t
> \takService.svc.setCompositeState(view.aksvc_id,\n\t\t
>  akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif
> (akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t
> \tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t
> \tcallback();\n\t\t\t}\n\t\t});\n\t}")
> akSvcView.prototype.commitToServer(enable:false, callback:
> "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif
> (view.aksvc_done && !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n
> \t\t}")
> akSvcView.prototype.commit(callback:null)
> ( "[object Object]",  "[object
> MouseEvent]")
> (e: "[object MouseEvent]")
> [akEventListenerWrap,click,undefined](e: "[object
> MouseEvent]")
> 
> 
> faultName: EAK_KADM5
> 
> 
> In the kadmind.log on the IPA server i get the following:
> 
> 
> Dec 17 23:12:05 server.home kadmind[3614](Notice): Request:
> kadm5_init, admin@HOME, success, client=admin@HOME,
> service=kadmin/server.home@HOME, addr=192.168.0.112, vers=2, flavor=6
> Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized
> request: kadm5_create_principal, host/zfs1.home@HOME,
> client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112
> 
> 
> And in the krb5kdc.log:
> 
> 
> Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME
> for krbtgt/HOME@HOME, Client not found in Kerberos database
> Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0

Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

2012-12-17 Thread Dmitri Pal

On 12/17/2012 07:15 PM, Johan Petersson wrote:
> Hi,
>
> When trying to generate a host and nfs principal + keys  from the
> Oracle ZFS 7120/7320 Appliance i get the following error message (note
> that the information pasted are from a simulator but i get exactly the
> same error from our real Appliances).
> I can't generate a key on the IPA server and copy it to the Appliance
> unfortunately it does not support that since it has a specialised
> webinterface and CLI.
> The Appliance wants to generate the principals and keys itself after i
> add the Kerberos information realm/KDC and admin principal.
>
> NTP is synced and DNS is working with reverse, no firewalls and
> SELinux disabled.
>
> I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers
> with the same results.
>
> Any ideas on what is wrong and if it is possible to get it working?
>
>
> An unanticipated system error occurred:
>
> failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error:
> 43787522 (Operation requires ``add'' privilege)

Do you have this principal already precreated?
It seems that the client tries to create a principal using its kadmin
library. I am not sure it would work.
The protocol we use in ipa-getkeytab is not a kadmin protocol. As far as
I recall it does an LDAP extended operation.

>
> Exception type: coXmlrpcFault
> Native message: failed to create principal 'host/zfs1.home@HOME':
> libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
> Mapped stack trace:
>
> Native file:  line ?
> Native stack trace:
> Message: 
> Wrapped exception: 
> Stack trace:
> 
>
> at https://192.168.0.112:215/lib/crazyolait/index.js:370:21
> Additional native members:
> faultCode: 600
> faultString: failed to create principal 'host/zfs1.home@HOME':
> libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
> coStack: top.akMulticall(argv: "[object Object]",
> abort:true, func: "function (ret, err, idx) {\n\t\t\tif (err
> && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, {
> set: widget.aknsn_vs
> });\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}")
> nasServiceNFS.prototype.commit(callback: "function (err)
> {\n\t\tif (akHandleFault(err, {\n\t\tset:
> view.aksvc_current_set\n\t\t})) {\n\t\t\tif
> (callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t
> */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif
> (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t
>akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif
> (akHandleFault(err)) {\n\t\t\t\tif
> (callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif
> (callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}")
> akSvcView.prototype.commitToServer(enable:false, callback:
> "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif
> (view.aksvc_done &&
> !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}")
> akSvcView.prototype.commit(callback:null)
> ( "[object Object]",  "[object MouseEvent]")
> (e: "[object MouseEvent]")
> [akEventListenerWrap,click,undefined](e: "[object MouseEvent]")
>
> faultName: EAK_KADM5
>
> In the kadmind.log on the IPA server i get the following:
>
> Dec 17 23:12:05 server.home kadmind[3614](Notice): Request:
> kadm5_init, admin@HOME, success, client=admin@HOME,
> service=kadmin/server.home@HOME, addr=192.168.0.112, vers=2, flavor=6
> Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized
> request: kadm5_create_principal, host/zfs1.home@HOME,
> client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112
>
> And in the krb5kdc.log:
>
> Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME
> for krbtgt/HOME@HOME, Client not found in Kerberos database
> Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home@HOME
> for krbtgt/HOME@HOME, Client not found in Kerberos database
>
> If i add the host in IPA i instead get:
>
> Dec 17 23:48:18 server.home krb5kdc[4016](info): ...
> CONSTRAINED-DELEGATION s4u-client=admin@HOME
> Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin@HOME for
> kadmin/server.home@HOME, Additional pre-authentication required
> Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes
> {rep=18 tkt=18 ses=18}, admin@HOME for kadmin/server.home@HOME
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking t

[Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

2012-12-17 Thread Johan Petersson

Hi,

When trying to generate a host and nfs principal + keys  from the Oracle ZFS 
7120/7320 Appliance i get the following error message (note that the 
information pasted are from a simulator but i get exactly the same error from 
our real Appliances).
I can't generate a key on the IPA server and copy it to the Appliance 
unfortunately it does not support that since it has a specialised webinterface 
and CLI.
The Appliance wants to generate the principals and keys itself after i add the 
Kerberos information realm/KDC and admin principal.

NTP is synced and DNS is working with reverse, no firewalls and SELinux 
disabled.

I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers with the 
same results.

Any ideas on what is wrong and if it is possible to get it working?


An unanticipated system error occurred:

failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 
(Operation requires ``add'' privilege)

Exception type: coXmlrpcFault
Native message: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt 
error: 43787522 (Operation requires ``add'' privilege)
Mapped stack trace:

Native file:  line ?
Native stack trace:
Message: 
Wrapped exception: 
Stack trace:


at https://192.168.0.112:215/lib/crazyolait/index.js:370:21
Additional native members:
faultCode: 600
faultString: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt 
error: 43787522 (Operation requires ``add'' privilege)
coStack: top.akMulticall(argv: "[object Object]", abort:true, 
func: "function (ret, err, idx) {\n\t\t\tif (err && err.faultName !== 
'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { set: widget.aknsn_vs 
});\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}")
nasServiceNFS.prototype.commit(callback: "function (err) {\n\t\tif 
(akHandleFault(err, {\n\t\tset: view.aksvc_current_set\n\t\t})) 
{\n\t\t\tif 
(callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t
 */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif 
(callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t
akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif 
(akHandleFault(err)) {\n\t\t\t\tif 
(callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif 
(callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}")
akSvcView.prototype.commitToServer(enable:false, callback: "function 
(error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif (view.aksvc_done && 
!error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}")
akSvcView.prototype.commit(callback:null)
( "[object Object]",  "[object MouseEvent]")
(e: "[object MouseEvent]")
[akEventListenerWrap,click,undefined](e: "[object MouseEvent]")

faultName: EAK_KADM5

In the kadmind.log on the IPA server i get the following:

Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: kadm5_init, 
admin@HOME, success, client=admin@HOME, service=kadmin/server.home@HOME, 
addr=192.168.0.112, vers=2, flavor=6
Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized request: 
kadm5_create_principal, host/zfs1.home@HOME, client=admin@HOME, 
service=kadmin/server.home@HOME, addr=192.168.0.112

And in the krb5kdc.log:

Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 
24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME for 
krbtgt/HOME@HOME, Client not found in Kerberos database
Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 
24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home@HOME for 
krbtgt/HOME@HOME, Client not found in Kerberos database

If i add the host in IPA i instead get:

Dec 17 23:48:18 server.home krb5kdc[4016](info): ... CONSTRAINED-DELEGATION 
s4u-client=admin@HOME
Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 
24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin@HOME for kadmin/server.home@HOME, 
Additional pre-authentication required
Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 
24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes {rep=18 tkt=18 
ses=18}, admin@HOME for kadmin/server.home@HOME
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

[Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.

7 matches

Site Navigation

Mail list logo

Footer information