[Freeipa-users] User, keytab, password and ldap

[Martin Kosek]

Adding back freeipa-users. As for the -P option, I assume all it does is that
it does not use random key when generating the keytab but rather the specified
password.

I do not know, however, if this non-random password can be used for normal LDAP
BINDs and thus should be also added to userPassword attribute. I will also wait
for Simo's advise and the a ticket can be filed if this is really a bug.

On 09/24/2015 10:44 AM, bahan w wrote:
> Thank you for your answer Martin.
> I am very interested by the answer from Simo.

> Because the ipa-getkeytab has this option -P specifically to have both a
> keytab and a password, so it would make sense that this command should
> update also the ldap for the user by adding this field userPassword no ?
> 
> Best regards.
> 
> Bahan
> 
> On Thu, Sep 24, 2015 at 9:40 AM, Martin Kosek <mkosek at redhat.com> wrote:
> 
>> On 09/23/2015 04:32 PM, bahan w wrote:
>>> Hello !
>>>
>>> I'm using IPA 3.0.0 and I have a problem with one of the user I created.
>>> user3
>>>
>>> I created this user with the command ipa user-add without specifying any
>>> password.
>>> Then I performed an ipa-getkeytab command with the -P option to have a
>>> keytab and a password.
>>>
>>> When I check the ldap server with the following command, I cannot find
>> any
>>> "userpassword" field for this user.
>>> ldapsearch -v -x -D 'cn=Directory Manager' -W -h <IPASERVER> -p <PORT>
>>>
>>> ###
>>> # user3, users, accounts, myrealm
>>> dn: uid=user3,cn=users,cn=accounts,dc=myrealm
>>> displayName: user3 user3
>>> cn: user3 user3
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalperson
>>> objectClass: inetorgperson
>>> objectClass: inetuser
>>> objectClass: posixaccount
>>> objectClass: krbprincipalaux
>>> objectClass: krbticketpolicyaux
>>> objectClass: ipaobject
>>> objectClass: ipasshuser
>>> objectClass: ipaSshGroupOfPubKeys
>>> objectClass: mepOriginEntry
>>> loginShell: /bin/sh
>>> sn: user3
>>> gecos: user3 user3
>>> homeDirectory: /home/user3
>>> krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm
>>> krbPrincipalName: user3 at MYREALM
>>> givenName: user3
>>> uid: user3
>>> initials: uu
>>> ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7
>>> uidNumber: <UIDUSER3>
>>> gidNumber: <GIDUSER3>
>>> memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm
>>> memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm
>>> mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm
>>> krbLastPwdChange: 20150923134438Z
>>> krbPrincipalKey:: <BLABLABLA>
>>> krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA==
>>> krbLastSuccessfulAuth: 20150923120752Z
>>> krbLastFailedAuth: 20150923132257Z
>>> krbLoginFailedCount: 1
>>> ###
>>>
>>> Then, with an admin ticket, I performed an ipa passwd user3 and I set a
>> one
>>> time password.
>>> Then I connected with user3 and he was able to change its one time
>> password
>>> into something else.
>>> And when I retried the ldapsearch command, the field userpassword was
>> there.
>>> But the keytab is not working anymore.
>>>
>>> So here is my question :
>>> How can I generate a user with a keytab, a password and the userpassword
>>> field in the ldap ?
>>
>> I do not think you can do that - by design. FreeIPA synchronizes Kerberos
>> keys
>> and the user password. So if you change password, existing keytab is
>> invalidated. If you get a keytab, password is invalidated as random key is
>> generated.
>>
>>> The ipa-getkeytab -P option allows me to have both keytab and the
>> password,
>>> but as the field userpassword is missing in the ldap, some other tools
>>> using ldapbackend authentication does not work for this user.
>>
>> I assume this is not expected to work this way, but please let me CC Simo
>> here,
>> if there is a problem in processing the -P option.
>>
>>
>