[Freeipa-users] problem with keytab for ipa user-add

Petr Vobornik pvoborni at redhat.com
Mon Jun 1 10:01:58 UTC 2015 

On 06/01/2015 11:36 AM, Bob Hinton wrote:
> On 01/06/2015 09:55, Petr Vobornik wrote:
>> On 05/31/2015 12:21 PM, Bob Hinton wrote:
>>> Hello,
>>>
>>> I've written a Ruby script to add IPA users from CSV files. This works
>>> fine when specifying a username and password. However, using a keytab
>>> produces an error (see below). This seems to happen whatever I put in
>>> the keytab file.
>>>
>>> Any suggestions ?
>>>
>>> The VM in question has had its database restored using ipa-restore a
>>> number of times, so I don't know if this is a factor.
>>>
>>> Thanks
>>>
>>> Bob
>>>
>>> -sh-4.2$ ./ipa-import-users -h
>>> Usage ipa-import-users [options] file1.csv ...
>>>       -u, --user USER                  Kerberos principal that can add
>>> users
>>>       -p, --password PASSWORD          Password for the above
>>>       -k, --keytab KEYTAB              Login with the specified keytab
>>> instead of user and pass
>>>       -v, --verbose                    enable verbose mode
>>>       -d, --debug                      enable debug mode
>>>       -c, --check                      check input files without
>>> applying them
>>> -sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab example_users_file.csv
>>> Importing file example_users_file.csv...
>>> header line ["Username", " First Name", " Last Name", " Email Address",
>>> " Password"]
>>> Line 2 is ["auser", "Another", "User", "auser at test.com", "pass"]
>>> username auser already defined
>>> Line 3 is ["james23", "James", "Jones", "jamesjones at somewhere.com",
>>> "secrets2"]
>>> echo "secrets2" | ipa user-add james23 --first="James" --last="Jones"
>>> --email="jamesjones at somewhere.com" --password 2>&1
>>> Problem with file example_users_file.csv ipa error on james23 - ipa:
>>> ERROR: Insufficient access: Could not read UPG Definition originfilter.
>>> Check your permissions.
>>> -sh-4.2$ klist -kt ipa004.keytab
>>> Keytab name: FILE:ipa004.keytab
>>> KVNO Timestamp         Principal
>>> ---- -----------------
>>> --------------------------------------------------------
>>>      2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>>      2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>>      2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>>      2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>>      4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>>      4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>>      4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>>      4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>
>>
>> How does the script obtain ticket granting ticket if keytab is used?
>> Does it run just:
>>
>>    kinit -k
>>
>> If so then it will get TGT for principal:
>> host/ipa004.jackland.uk at TEST.JACKLAND.UK and not for
>> useradder at TEST.JACKLAND.UK . By default hosts don't have permissions
>> to add users.
>>
>>
>
> It uses kinit -kt. I got a "no suitable keys" error when the keytab only
> included useradder so I included the host to get around this (see below).
>
> -sh-4.2$ klist -kt useradder.keytab
> Keytab name: FILE:useradder.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>     3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
>     3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
>     3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
>     3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
> -sh-4.2$ kinit -kt useradder.keytab
> kinit: Keytab contains no suitable keys for
> host/ipa004.test.jackland.uk at TEST.JACKLAND.UK while getting initial
> credentials


Default principal is used when klist -kt is called without specifying 
the principal. Default principal is the local host principal. That is 
the reason why you are able to get TGT if you add the host principal 
into the keytab. But, as I wrote, this principal doesn't have rights to 
add users.

Correct way is:
kinit -k -t useradder.keytab useradder at TEST.JACKLAND.UK


> -sh-4.2$
>
>>> -sh-4.2$
>>>
>>> Installed Packages
>>> Name        : ipa-server
>>> Arch        : x86_64
>>> Version     : 4.1.0
>>> Release     : 18.el7_1.3
>>> Size        : 4.2 M
>>> Repo        : installed
>>>>  From repo   : rhel-7-server-rpms
>>> Summary     : The IPA authentication server
>>> URL         : http://www.freeipa.org/
>>> Licence     : GPLv3+
>>> Description : IPA is an integrated solution to provide centrally managed
>>> Identity (machine,
>>>               : user, virtual machines, groups, authentication
>>> credentials), Policy
>>>               : (configuration settings, access control information) and
>>> Audit (events,
>>>               : logs, analysis thereof). If you are installing an IPA
>>> server you need
>>>               : to install this package (in other words, most people
>>> should NOT install
>>>               : this package).
>>>
>>
>>
>


-- 
Petr Vobornik

More information about the Freeipa-users mailing list