[Freeipa-users] problem with keytab for ipa user-add

Bob Hinton bob at jackland.demon.co.uk
Sun May 31 10:21:45 UTC 2015 

Hello,

I've written a Ruby script to add IPA users from CSV files. This works
fine when specifying a username and password. However, using a keytab
produces an error (see below). This seems to happen whatever I put in
the keytab file.

Any suggestions ?

The VM in question has had its database restored using ipa-restore a
number of times, so I don't know if this is a factor.

Thanks

Bob

-sh-4.2$ ./ipa-import-users -h
Usage ipa-import-users [options] file1.csv ...
    -u, --user USER                  Kerberos principal that can add users
    -p, --password PASSWORD          Password for the above
    -k, --keytab KEYTAB              Login with the specified keytab
instead of user and pass
    -v, --verbose                    enable verbose mode
    -d, --debug                      enable debug mode
    -c, --check                      check input files without applying them
-sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab example_users_file.csv
Importing file example_users_file.csv...
header line ["Username", " First Name", " Last Name", " Email Address",
" Password"]
Line 2 is ["auser", "Another", "User", "auser at test.com", "pass"]
username auser already defined
Line 3 is ["james23", "James", "Jones", "jamesjones at somewhere.com",
"secrets2"]
echo "secrets2" | ipa user-add james23 --first="James" --last="Jones"
--email="jamesjones at somewhere.com" --password 2>&1
Problem with file example_users_file.csv ipa error on james23 - ipa:
ERROR: Insufficient access: Could not read UPG Definition originfilter.
Check your permissions.
-sh-4.2$ klist -kt ipa004.keytab
Keytab name: FILE:ipa004.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
   2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
   2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
   2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK
   4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
   4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
   4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
   4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK
-sh-4.2$

Installed Packages
Name        : ipa-server
Arch        : x86_64
Version     : 4.1.0
Release     : 18.el7_1.3
Size        : 4.2 M
Repo        : installed
>From repo   : rhel-7-server-rpms
Summary     : The IPA authentication server
URL         : http://www.freeipa.org/
Licence     : GPLv3+
Description : IPA is an integrated solution to provide centrally managed
Identity (machine,
            : user, virtual machines, groups, authentication
credentials), Policy
            : (configuration settings, access control information) and
Audit (events,
            : logs, analysis thereof). If you are installing an IPA
server you need
            : to install this package (in other words, most people
should NOT install
            : this package).

More information about the Freeipa-users mailing list