Hi folks,
maybe I missed something, but shouldn't admin have sufficient privileges to run
# ipa-client-install --hostname stretch1.vs.example.de --no-ssh --no-sshd --no-nisdomain --no-sudo --no-ntp --no-dns-sshfp # reboot : : # kinit admin # ipa-getkeytab -s ipa1.example.de -p HTTP/stretch1.vs.example.de -k /etc/apache2/apache2.keytab
?
ipa-getkeytab failed with
Failed to parse result: PrincipalName not found.
I would have expected it to create the principal on the fly.
"admin" was created at freeipa install time on the first server, AFAIR. It is member of the "admins" and "trust admins" groups.
I am concerned that I corrupted something. Every helpful comment is highly appreciated.
Harri
On pe, 10 marras 2017, Harald Dunkel via FreeIPA-users wrote:
Hi folks,
maybe I missed something, but shouldn't admin have sufficient privileges to run
# ipa-client-install --hostname stretch1.vs.example.de --no-ssh --no-sshd --no-nisdomain --no-sudo --no-ntp --no-dns-sshfp # reboot : : # kinit admin # ipa-getkeytab -s ipa1.example.de -p HTTP/stretch1.vs.example.de -k /etc/apache2/apache2.keytab
?
ipa-getkeytab failed with
Failed to parse result: PrincipalName not found.
I would have expected it to create the principal on the fly.
ipa-getkeytab does not create principal. It creates key for an existing principal.
"admin" was created at freeipa install time on the first server, AFAIR. It is member of the "admins" and "trust admins" groups.
admin is one of very few objects we pre-create. Everything else you have to create yourself.
I am concerned that I corrupted something. Every helpful comment is highly appreciated.
It is good that nothing unexpected is created in the database on its own. ;)
Hi Alex,
On Fri, 10 Nov 2017 16:59:07 +0200 Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On pe, 10 marras 2017, Harald Dunkel via FreeIPA-users wrote:
ipa-getkeytab failed with
Failed to parse result: PrincipalName not found.
I would have expected it to create the principal on the fly.
ipa-getkeytab does not create principal. It creates key for an existing principal.
Do you think a one-shot solution could be implemented? I mean, the whole ipa-client-install can be run remotely, using just a single command line. Thats great. It would be pretty cool if a service principal and the appropriate keytab file entry could be created within one step as well.
Regards Harri
On ma, 13 marras 2017, Harald Dunkel wrote:
Hi Alex,
On Fri, 10 Nov 2017 16:59:07 +0200 Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On pe, 10 marras 2017, Harald Dunkel via FreeIPA-users wrote:
ipa-getkeytab failed with
Failed to parse result: PrincipalName not found.
I would have expected it to create the principal on the fly.
ipa-getkeytab does not create principal. It creates key for an existing principal.
Do you think a one-shot solution could be implemented? I mean, the whole ipa-client-install can be run remotely, using just a single command line. Thats great. It would be pretty cool if a service principal and the appropriate keytab file entry could be created within one step as well.
You can implement that yourself since IPA CLI is always part of the rpms/debs where ipa-client-install is located. However, we would probably avoid adding this by default because we try to keep actions separated: adding an object to IPA and enrolling an existing object are two distinct actions from security point of view and we'd like to keep it this way.
There is a ticket for a future releases to allow users have a quota on objects they could create themselves (say, up to 10 hosts). We aren't there yet.
On pe, 26 huhti 2019, aurelien--- via FreeIPA-users wrote:
I got that trouble on RHEL7 8-/
how do you resolve that??
'That trouble' is what?
If you are using web interface to the mailing list to send your messages, make sure you are including enough context to understand your message.
freeipa-users@lists.fedorahosted.org