[Freeipa-users] User, keytab, password and ldap
Martin Kosek
mkosek at redhat.com
Thu Sep 24 07:40:06 UTC 2015
On 09/23/2015 04:32 PM, bahan w wrote:
> Hello !
>
> I'm using IPA 3.0.0 and I have a problem with one of the user I created.
> user3
>
> I created this user with the command ipa user-add without specifying any
> password.
> Then I performed an ipa-getkeytab command with the -P option to have a
> keytab and a password.
>
> When I check the ldap server with the following command, I cannot find any
> "userpassword" field for this user.
> ldapsearch -v -x -D 'cn=Directory Manager' -W -h <IPASERVER> -p <PORT>
>
> ###
> # user3, users, accounts, myrealm
> dn: uid=user3,cn=users,cn=accounts,dc=myrealm
> displayName: user3 user3
> cn: user3 user3
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetorgperson
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: krbprincipalaux
> objectClass: krbticketpolicyaux
> objectClass: ipaobject
> objectClass: ipasshuser
> objectClass: ipaSshGroupOfPubKeys
> objectClass: mepOriginEntry
> loginShell: /bin/sh
> sn: user3
> gecos: user3 user3
> homeDirectory: /home/user3
> krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm
> krbPrincipalName: user3 at MYREALM
> givenName: user3
> uid: user3
> initials: uu
> ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7
> uidNumber: <UIDUSER3>
> gidNumber: <GIDUSER3>
> memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm
> memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm
> mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm
> krbLastPwdChange: 20150923134438Z
> krbPrincipalKey:: <BLABLABLA>
> krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA==
> krbLastSuccessfulAuth: 20150923120752Z
> krbLastFailedAuth: 20150923132257Z
> krbLoginFailedCount: 1
> ###
>
> Then, with an admin ticket, I performed an ipa passwd user3 and I set a one
> time password.
> Then I connected with user3 and he was able to change its one time password
> into something else.
> And when I retried the ldapsearch command, the field userpassword was there.
> But the keytab is not working anymore.
>
> So here is my question :
> How can I generate a user with a keytab, a password and the userpassword
> field in the ldap ?
I do not think you can do that - by design. FreeIPA synchronizes Kerberos keys
and the user password. So if you change password, existing keytab is
invalidated. If you get a keytab, password is invalidated as random key is
generated.
> The ipa-getkeytab -P option allows me to have both keytab and the password,
> but as the field userpassword is missing in the ldap, some other tools
> using ldapbackend authentication does not work for this user.
I assume this is not expected to work this way, but please let me CC Simo here,
if there is a problem in processing the -P option.
More information about the Freeipa-users
mailing list