[Freeipa-users] problem with keytab for ipa user-add
Alexander Bokovoy
abokovoy at redhat.com
Mon Jun 1 10:02:43 UTC 2015
On Mon, 01 Jun 2015, Bob Hinton wrote:
>On 01/06/2015 09:55, Petr Vobornik wrote:
>> On 05/31/2015 12:21 PM, Bob Hinton wrote:
>>> Hello,
>>>
>>> I've written a Ruby script to add IPA users from CSV files. This works
>>> fine when specifying a username and password. However, using a keytab
>>> produces an error (see below). This seems to happen whatever I put in
>>> the keytab file.
>>>
>>> Any suggestions ?
>>>
>>> The VM in question has had its database restored using ipa-restore a
>>> number of times, so I don't know if this is a factor.
>>>
>>> Thanks
>>>
>>> Bob
>>>
>>> -sh-4.2$ ./ipa-import-users -h
>>> Usage ipa-import-users [options] file1.csv ...
>>> -u, --user USER Kerberos principal that can add
>>> users
>>> -p, --password PASSWORD Password for the above
>>> -k, --keytab KEYTAB Login with the specified keytab
>>> instead of user and pass
>>> -v, --verbose enable verbose mode
>>> -d, --debug enable debug mode
>>> -c, --check check input files without
>>> applying them
>>> -sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab example_users_file.csv
>>> Importing file example_users_file.csv...
>>> header line ["Username", " First Name", " Last Name", " Email Address",
>>> " Password"]
>>> Line 2 is ["auser", "Another", "User", "auser at test.com", "pass"]
>>> username auser already defined
>>> Line 3 is ["james23", "James", "Jones", "jamesjones at somewhere.com",
>>> "secrets2"]
>>> echo "secrets2" | ipa user-add james23 --first="James" --last="Jones"
>>> --email="jamesjones at somewhere.com" --password 2>&1
>>> Problem with file example_users_file.csv ipa error on james23 - ipa:
>>> ERROR: Insufficient access: Could not read UPG Definition originfilter.
>>> Check your permissions.
>>> -sh-4.2$ klist -kt ipa004.keytab
>>> Keytab name: FILE:ipa004.keytab
>>> KVNO Timestamp Principal
>>> ---- -----------------
>>> --------------------------------------------------------
>>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>
>>
>> How does the script obtain ticket granting ticket if keytab is used?
>> Does it run just:
>>
>> kinit -k
>>
>> If so then it will get TGT for principal:
>> host/ipa004.jackland.uk at TEST.JACKLAND.UK and not for
>> useradder at TEST.JACKLAND.UK . By default hosts don't have permissions
>> to add users.
>>
>>
>
>It uses kinit -kt. I got a "no suitable keys" error when the keytab only
>included useradder so I included the host to get around this (see below).
>
>-sh-4.2$ klist -kt useradder.keytab
>Keytab name: FILE:useradder.keytab
>KVNO Timestamp Principal
>---- -----------------
>--------------------------------------------------------
> 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
> 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
> 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
> 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
>-sh-4.2$ kinit -kt useradder.keytab
>kinit: Keytab contains no suitable keys for
>host/ipa004.test.jackland.uk at TEST.JACKLAND.UK while getting initial
>credentials
And that is correct because 'kinit -k' defaults to host/fqdn.hostname
principal if principal is not specified.
kinit -k -t useradder.keytab useradder at TEST.JACKLAND.UK
would be the correct way to call it.
See manual page for kinit for more details.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list