[Freeipa-users] problem with keytab for ipa user-add
Petr Vobornik
pvoborni at redhat.com
Mon Jun 1 08:55:24 UTC 2015
On 05/31/2015 12:21 PM, Bob Hinton wrote:
> Hello,
>
> I've written a Ruby script to add IPA users from CSV files. This works
> fine when specifying a username and password. However, using a keytab
> produces an error (see below). This seems to happen whatever I put in
> the keytab file.
>
> Any suggestions ?
>
> The VM in question has had its database restored using ipa-restore a
> number of times, so I don't know if this is a factor.
>
> Thanks
>
> Bob
>
> -sh-4.2$ ./ipa-import-users -h
> Usage ipa-import-users [options] file1.csv ...
> -u, --user USER Kerberos principal that can add users
> -p, --password PASSWORD Password for the above
> -k, --keytab KEYTAB Login with the specified keytab
> instead of user and pass
> -v, --verbose enable verbose mode
> -d, --debug enable debug mode
> -c, --check check input files without applying them
> -sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab example_users_file.csv
> Importing file example_users_file.csv...
> header line ["Username", " First Name", " Last Name", " Email Address",
> " Password"]
> Line 2 is ["auser", "Another", "User", "auser at test.com", "pass"]
> username auser already defined
> Line 3 is ["james23", "James", "Jones", "jamesjones at somewhere.com",
> "secrets2"]
> echo "secrets2" | ipa user-add james23 --first="James" --last="Jones"
> --email="jamesjones at somewhere.com" --password 2>&1
> Problem with file example_users_file.csv ipa error on james23 - ipa:
> ERROR: Insufficient access: Could not read UPG Definition originfilter.
> Check your permissions.
> -sh-4.2$ klist -kt ipa004.keytab
> Keytab name: FILE:ipa004.keytab
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
How does the script obtain ticket granting ticket if keytab is used?
Does it run just:
kinit -k
If so then it will get TGT for principal:
host/ipa004.jackland.uk at TEST.JACKLAND.UK and not for
useradder at TEST.JACKLAND.UK . By default hosts don't have permissions to
add users.
> -sh-4.2$
>
> Installed Packages
> Name : ipa-server
> Arch : x86_64
> Version : 4.1.0
> Release : 18.el7_1.3
> Size : 4.2 M
> Repo : installed
>>From repo : rhel-7-server-rpms
> Summary : The IPA authentication server
> URL : http://www.freeipa.org/
> Licence : GPLv3+
> Description : IPA is an integrated solution to provide centrally managed
> Identity (machine,
> : user, virtual machines, groups, authentication
> credentials), Policy
> : (configuration settings, access control information) and
> Audit (events,
> : logs, analysis thereof). If you are installing an IPA
> server you need
> : to install this package (in other words, most people
> should NOT install
> : this package).
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list