[Freeipa-users] problem with keytab for ipa user-add

Bob Hinton bob at jackland.demon.co.uk
Mon Jun 1 09:36:18 UTC 2015 

On 01/06/2015 09:55, Petr Vobornik wrote:
> On 05/31/2015 12:21 PM, Bob Hinton wrote:
>> Hello,
>>
>> I've written a Ruby script to add IPA users from CSV files. This works
>> fine when specifying a username and password. However, using a keytab
>> produces an error (see below). This seems to happen whatever I put in
>> the keytab file.
>>
>> Any suggestions ?
>>
>> The VM in question has had its database restored using ipa-restore a
>> number of times, so I don't know if this is a factor.
>>
>> Thanks
>>
>> Bob
>>
>> -sh-4.2$ ./ipa-import-users -h
>> Usage ipa-import-users [options] file1.csv ...
>>      -u, --user USER                  Kerberos principal that can add
>> users
>>      -p, --password PASSWORD          Password for the above
>>      -k, --keytab KEYTAB              Login with the specified keytab
>> instead of user and pass
>>      -v, --verbose                    enable verbose mode
>>      -d, --debug                      enable debug mode
>>      -c, --check                      check input files without
>> applying them
>> -sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab example_users_file.csv
>> Importing file example_users_file.csv...
>> header line ["Username", " First Name", " Last Name", " Email Address",
>> " Password"]
>> Line 2 is ["auser", "Another", "User", "auser at test.com", "pass"]
>> username auser already defined
>> Line 3 is ["james23", "James", "Jones", "jamesjones at somewhere.com",
>> "secrets2"]
>> echo "secrets2" | ipa user-add james23 --first="James" --last="Jones"
>> --email="jamesjones at somewhere.com" --password 2>&1
>> Problem with file example_users_file.csv ipa error on james23 - ipa:
>> ERROR: Insufficient access: Could not read UPG Definition originfilter.
>> Check your permissions.
>> -sh-4.2$ klist -kt ipa004.keytab
>> Keytab name: FILE:ipa004.keytab
>> KVNO Timestamp         Principal
>> ---- -----------------
>> --------------------------------------------------------
>>     2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>     2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>     2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>     2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>     4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>     4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>     4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>     4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>
>
> How does the script obtain ticket granting ticket if keytab is used?
> Does it run just:
>
>   kinit -k
>
> If so then it will get TGT for principal:
> host/ipa004.jackland.uk at TEST.JACKLAND.UK and not for
> useradder at TEST.JACKLAND.UK . By default hosts don't have permissions
> to add users.
>
>

It uses kinit -kt. I got a "no suitable keys" error when the keytab only
included useradder so I included the host to get around this (see below).

-sh-4.2$ klist -kt useradder.keytab
Keytab name: FILE:useradder.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
   3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
   3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
   3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
-sh-4.2$ kinit -kt useradder.keytab
kinit: Keytab contains no suitable keys for
host/ipa004.test.jackland.uk at TEST.JACKLAND.UK while getting initial
credentials
-sh-4.2$

>> -sh-4.2$
>>
>> Installed Packages
>> Name        : ipa-server
>> Arch        : x86_64
>> Version     : 4.1.0
>> Release     : 18.el7_1.3
>> Size        : 4.2 M
>> Repo        : installed
>>> From repo   : rhel-7-server-rpms
>> Summary     : The IPA authentication server
>> URL         : http://www.freeipa.org/
>> Licence     : GPLv3+
>> Description : IPA is an integrated solution to provide centrally managed
>> Identity (machine,
>>              : user, virtual machines, groups, authentication
>> credentials), Policy
>>              : (configuration settings, access control information) and
>> Audit (events,
>>              : logs, analysis thereof). If you are installing an IPA
>> server you need
>>              : to install this package (in other words, most people
>> should NOT install
>>              : this package).
>>
>
>

More information about the Freeipa-users mailing list