Ok

I managed to create the database with my Kerberos Admin User.  Then I wanted to check inside the database to see if an ADMIN for wallet was there. So I checked inside the database  the table acl_entries and I got :

mysql> select * from acl_entries;
+-------+-----------+----------------------------------+
| ae_id | ae_scheme | ae_identifier                  
+-------+-----------+----------------------------------+
|     1 | krb5      | USER@REALM |


The USER@REALM was exactly the user I used to execute the command 'wallet-admin initialize USER@REALM'.

After that I tried to create and object using :

   wallet create keytab nfs/host.domain.org

I keep on having an : wallet: Access denied and the remctl server says:

remctld: child 6927 for 172.16.8.190
remctld: received context token (size=649)
remctld: sending context token (size=156)
remctld: accepted connection from USER@REALM (protocol 2)
remctld: argc is 4
remctld: arg 1 has length 6
remctld: arg 2 has length 6
remctld: arg 3 has length 6
remctld: arg 4 has length 29
remctld: COMMAND from USER@REALM: wallet create keytab nfs/host.domain.org
remctld: access denied: user  USER@REALM, command wallet create
remctld: quit received, closing connection
remctld: child 6927 done

So I believe, that I'm using the Wallet Admin user to create  new objects, but still seems that i dont have permissions to do it.


From: Russ Allbery [rra@stan...]
Sent: 04 May 2012 17:27
To: Sebastian Galiano
Cc: Jeff Blaine; kerberos@mit....
Subject: Re: Streamlining host principal keytab provisioning?

Sebastian Galiano <Sebastian.Galiano@spil...> writes:

> I had some problems trying to execute the commands you recommend me with
> the admin user. Then, I've tried to start almost all over. I've erased
> the wallet database, I've created it again. I've added the wallet user
> and I've granted the permissions. But when I execute the command:
>
> $ wallet-admin initialize wallet
> I get the follwing error
>   invalid admin principal wallet

The argument to initialize is a Kerberos principal.  It's the initial
membership of the ADMIN ACL.  See docs/setup:

    Now, you have to create the necessary tables, indexes, and similar
    content in the database so that the wallet can start working.  Run:

        wallet-admin initialize USER

    where USER is the fully-qualified Kerberos principal of an
    administrator.  This will create the database, create an ADMIN ACL,
    and put USER in that ACL so that user can add other administrators and
    start creating objects.

--
Russ Allbery (rra@stan...)             <http://www.eyrie.org/~eagle/>

________________________________________________
Kerberos mailing list           Kerberos@mit....
https://mailman.mit.edu/mailman/listinfo/kerberos