[Freeipa-users] problem with keytab for ipa user-add

Petr Vobornik pvoborni at redhat.com
Mon Jun 1 08:55:24 UTC 2015 

On 05/31/2015 12:21 PM, Bob Hinton wrote:
> Hello,
>
> I've written a Ruby script to add IPA users from CSV files. This works
> fine when specifying a username and password. However, using a keytab
> produces an error (see below). This seems to happen whatever I put in
> the keytab file.
>
> Any suggestions ?
>
> The VM in question has had its database restored using ipa-restore a
> number of times, so I don't know if this is a factor.
>
> Thanks
>
> Bob
>
> -sh-4.2$ ./ipa-import-users -h
> Usage ipa-import-users [options] file1.csv ...
>      -u, --user USER                  Kerberos principal that can add users
>      -p, --password PASSWORD          Password for the above
>      -k, --keytab KEYTAB              Login with the specified keytab
> instead of user and pass
>      -v, --verbose                    enable verbose mode
>      -d, --debug                      enable debug mode
>      -c, --check                      check input files without applying them
> -sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab example_users_file.csv
> Importing file example_users_file.csv...
> header line ["Username", " First Name", " Last Name", " Email Address",
> " Password"]
> Line 2 is ["auser", "Another", "User", "auser at test.com", "pass"]
> username auser already defined
> Line 3 is ["james23", "James", "Jones", "jamesjones at somewhere.com",
> "secrets2"]
> echo "secrets2" | ipa user-add james23 --first="James" --last="Jones"
> --email="jamesjones at somewhere.com" --password 2>&1
> Problem with file example_users_file.csv ipa error on james23 - ipa:
> ERROR: Insufficient access: Could not read UPG Definition originfilter.
> Check your permissions.
> -sh-4.2$ klist -kt ipa004.keytab
> Keytab name: FILE:ipa004.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>     2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>     2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>     2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>     2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>     4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>     4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>     4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>     4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK


How does the script obtain ticket granting ticket if keytab is used? 
Does it run just:

   kinit -k

If so then it will get TGT for principal: 
host/ipa004.jackland.uk at TEST.JACKLAND.UK and not for 
useradder at TEST.JACKLAND.UK . By default hosts don't have permissions to 
add users.


> -sh-4.2$
>
> Installed Packages
> Name        : ipa-server
> Arch        : x86_64
> Version     : 4.1.0
> Release     : 18.el7_1.3
> Size        : 4.2 M
> Repo        : installed
>>From repo   : rhel-7-server-rpms
> Summary     : The IPA authentication server
> URL         : http://www.freeipa.org/
> Licence     : GPLv3+
> Description : IPA is an integrated solution to provide centrally managed
> Identity (machine,
>              : user, virtual machines, groups, authentication
> credentials), Policy
>              : (configuration settings, access control information) and
> Audit (events,
>              : logs, analysis thereof). If you are installing an IPA
> server you need
>              : to install this package (in other words, most people
> should NOT install
>              : this package).
>


-- 
Petr Vobornik

More information about the Freeipa-users mailing list