[Freeipa-users] problem with keytab for ipa user-add

Bob Hinton bob at jackland.demon.co.uk
Mon Jun 1 10:46:46 UTC 2015 

On 01/06/2015 11:01, Petr Vobornik wrote:
> On 06/01/2015 11:36 AM, Bob Hinton wrote:
>> On 01/06/2015 09:55, Petr Vobornik wrote:
>>> On 05/31/2015 12:21 PM, Bob Hinton wrote:
>>>> Hello,
>>>>
>>>> I've written a Ruby script to add IPA users from CSV files. This works
>>>> fine when specifying a username and password. However, using a keytab
>>>> produces an error (see below). This seems to happen whatever I put in
>>>> the keytab file.
>>>>
>>>> Any suggestions ?
>>>>
>>>> The VM in question has had its database restored using ipa-restore a
>>>> number of times, so I don't know if this is a factor.
>>>>
>>>> Thanks
>>>>
>>>> Bob
>>>>
>>>> -sh-4.2$ ./ipa-import-users -h
>>>> Usage ipa-import-users [options] file1.csv ...
>>>>       -u, --user USER                  Kerberos principal that can add
>>>> users
>>>>       -p, --password PASSWORD          Password for the above
>>>>       -k, --keytab KEYTAB              Login with the specified keytab
>>>> instead of user and pass
>>>>       -v, --verbose                    enable verbose mode
>>>>       -d, --debug                      enable debug mode
>>>>       -c, --check                      check input files without
>>>> applying them
>>>> -sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab
>>>> example_users_file.csv
>>>> Importing file example_users_file.csv...
>>>> header line ["Username", " First Name", " Last Name", " Email
>>>> Address",
>>>> " Password"]
>>>> Line 2 is ["auser", "Another", "User", "auser at test.com", "pass"]
>>>> username auser already defined
>>>> Line 3 is ["james23", "James", "Jones", "jamesjones at somewhere.com",
>>>> "secrets2"]
>>>> echo "secrets2" | ipa user-add james23 --first="James" --last="Jones"
>>>> --email="jamesjones at somewhere.com" --password 2>&1
>>>> Problem with file example_users_file.csv ipa error on james23 - ipa:
>>>> ERROR: Insufficient access: Could not read UPG Definition
>>>> originfilter.
>>>> Check your permissions.
>>>> -sh-4.2$ klist -kt ipa004.keytab
>>>> Keytab name: FILE:ipa004.keytab
>>>> KVNO Timestamp         Principal
>>>> ---- -----------------
>>>> --------------------------------------------------------
>>>>      2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>>>      2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>>>      2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>>>      2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
>>>>      4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>>>      4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>>>      4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>>>      4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
>>>
>>>
>>> How does the script obtain ticket granting ticket if keytab is used?
>>> Does it run just:
>>>
>>>    kinit -k
>>>
>>> If so then it will get TGT for principal:
>>> host/ipa004.jackland.uk at TEST.JACKLAND.UK and not for
>>> useradder at TEST.JACKLAND.UK . By default hosts don't have permissions
>>> to add users.
>>>
>>>
>>
>> It uses kinit -kt. I got a "no suitable keys" error when the keytab only
>> included useradder so I included the host to get around this (see
>> below).
>>
>> -sh-4.2$ klist -kt useradder.keytab
>> Keytab name: FILE:useradder.keytab
>> KVNO Timestamp         Principal
>> ---- -----------------
>> --------------------------------------------------------
>>     3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
>>     3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
>>     3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
>>     3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK
>> -sh-4.2$ kinit -kt useradder.keytab
>> kinit: Keytab contains no suitable keys for
>> host/ipa004.test.jackland.uk at TEST.JACKLAND.UK while getting initial
>> credentials
>
>
> Default principal is used when klist -kt is called without specifying
> the principal. Default principal is the local host principal. That is
> the reason why you are able to get TGT if you add the host principal
> into the keytab. But, as I wrote, this principal doesn't have rights
> to add users.
>
> Correct way is:
> kinit -k -t useradder.keytab useradder at TEST.JACKLAND.UK
>
>
Ah, that explains it.

Many thanks

Bob

>> -sh-4.2$
>>
>>>> -sh-4.2$
>>>>
>>>> Installed Packages
>>>> Name        : ipa-server
>>>> Arch        : x86_64
>>>> Version     : 4.1.0
>>>> Release     : 18.el7_1.3
>>>> Size        : 4.2 M
>>>> Repo        : installed
>>>>>  From repo   : rhel-7-server-rpms
>>>> Summary     : The IPA authentication server
>>>> URL         : http://www.freeipa.org/
>>>> Licence     : GPLv3+
>>>> Description : IPA is an integrated solution to provide centrally
>>>> managed
>>>> Identity (machine,
>>>>               : user, virtual machines, groups, authentication
>>>> credentials), Policy
>>>>               : (configuration settings, access control
>>>> information) and
>>>> Audit (events,
>>>>               : logs, analysis thereof). If you are installing an IPA
>>>> server you need
>>>>               : to install this package (in other words, most people
>>>> should NOT install
>>>>               : this package).
>>>>
>>>
>>>
>>
>
>

More information about the Freeipa-users mailing list