[Freeipa-users] problem with keytab for ipa user-add
Petr Vobornik
pvoborni at redhat.com
Mon Jun 1 10:01:58 UTC 2015
On 06/01/2015 11:36 AM, Bob Hinton wrote:
> On 01/06/2015 09:55, Petr Vobornik wrote:
>> On 05/31/2015 12:21 PM, Bob Hinton wrote:
>>> Hello,
>>>
>>> I've written a Ruby script to add IPA users from CSV files. This works
>>> fine when specifying a username and password. However, using a keytab
>>> produces an error (see below). This seems to happen whatever I put in
>>> the keytab file.
>>>
>>> Any suggestions ?
>>>
>>> The VM in question has had its database restored using ipa-restore a
>>> number of times, so I don't know if this is a factor.
>>>
>>> Thanks
>>>
>>> Bob
>>>
>>> -sh-4.2$ ./ipa-import-users -h
>>> Usage ipa-import-users [options] file1.csv ...
>>> -u, --user USER Kerberos principal that can add
>>> users
>>> -p, --password PASSWORD Password for the above
>>> -k, --keytab KEYTAB Login with the specified keytab
>>> instead of user and pass
>>> -v, --verbose enable verbose mode
>>> -d, --debug enable debug mode
>>> -c, --check check input files without
>>> applying them
>>> -sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab example_users_file.csv
>>> Importing file example_users_file.csv...
>>> header line ["Username", " First Name", " Last Name", " Email Address",
>>> " Password"]
>>> Line 2 is ["auser", "Another", "User", "auser at test.com", "pass"]
>>> username auser already defined
>>> Line 3 is ["james23", "James", "Jones", "jamesjones at somewhere.com",
>>> "secrets2"]
>>> echo "secrets2" | ipa user-add james23 --first="James" --last="Jones"
>>> --email="jamesjones at somewhere.com" --password 2>&1
>>> Problem with file example_users_file.csv ipa error on james23 - ipa:
>>> ERROR: Insufficient access: Could not read UPG Definition originfilter.
>>> Check your permissions.
>>> -sh-4.2$ klist -kt ipa004.keytab
>>> Keytab name: FILE:ipa004.keytab
>>> KVNO Timestamp Principal
>>> ---- -----------------
>>> --------------------------------------------------------
>>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>
>>
>> How does the script obtain ticket granting ticket if keytab is used?
>> Does it run just:
>>
>> kinit -k
>>
>> If so then it will get TGT for principal:
>> host/ipa004.jackland.uk at TEST.JACKLAND.UK and not for
>> useradder at TEST.JACKLAND.UK . By default hosts don't have permissions
>> to add users.
>>
>>
>
> It uses kinit -kt. I got a "no suitable keys" error when the keytab only
> included useradder so I included the host to get around this (see below).
>
> -sh-4.2$ klist -kt useradder.keytab
> Keytab name: FILE:useradder.keytab
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
> 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
> 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
> 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
> -sh-4.2$ kinit -kt useradder.keytab
> kinit: Keytab contains no suitable keys for
> host/ipa004.test.jackland.uk at TEST.JACKLAND.UK while getting initial
> credentials
Default principal is used when klist -kt is called without specifying
the principal. Default principal is the local host principal. That is
the reason why you are able to get TGT if you add the host principal
into the keytab. But, as I wrote, this principal doesn't have rights to
add users.
Correct way is:
kinit -k -t useradder.keytab useradder at TEST.JACKLAND.UK
> -sh-4.2$
>
>>> -sh-4.2$
>>>
>>> Installed Packages
>>> Name : ipa-server
>>> Arch : x86_64
>>> Version : 4.1.0
>>> Release : 18.el7_1.3
>>> Size : 4.2 M
>>> Repo : installed
>>>> From repo : rhel-7-server-rpms
>>> Summary : The IPA authentication server
>>> URL : http://www.freeipa.org/
>>> Licence : GPLv3+
>>> Description : IPA is an integrated solution to provide centrally managed
>>> Identity (machine,
>>> : user, virtual machines, groups, authentication
>>> credentials), Policy
>>> : (configuration settings, access control information) and
>>> Audit (events,
>>> : logs, analysis thereof). If you are installing an IPA
>>> server you need
>>> : to install this package (in other words, most people
>>> should NOT install
>>> : this package).
>>>
>>
>>
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list