[Freeipa-users] User, keytab, password and ldap

Thu Sep 24 12:57:19 UTC 2015

On 24/09/15 03:40, Martin Kosek wrote:
> On 09/23/2015 04:32 PM, bahan w wrote:
>> Hello !
>>
>> I'm using IPA 3.0.0 and I have a problem with one of the user I created.
>> user3
>>
>> I created this user with the command ipa user-add without specifying any
>> password.
>> Then I performed an ipa-getkeytab command with the -P option to have a
>> keytab and a password.
>>
>> When I check the ldap server with the following command, I cannot find any
>> "userpassword" field for this user.
>> ldapsearch -v -x -D 'cn=Directory Manager' -W -h <IPASERVER> -p <PORT>
>>
>> ###
>> # user3, users, accounts, myrealm
>> dn: uid=user3,cn=users,cn=accounts,dc=myrealm
>> displayName: user3 user3
>> cn: user3 user3
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalperson
>> objectClass: inetorgperson
>> objectClass: inetuser
>> objectClass: posixaccount
>> objectClass: krbprincipalaux
>> objectClass: krbticketpolicyaux
>> objectClass: ipaobject
>> objectClass: ipasshuser
>> objectClass: ipaSshGroupOfPubKeys
>> objectClass: mepOriginEntry
>> loginShell: /bin/sh
>> sn: user3
>> gecos: user3 user3
>> homeDirectory: /home/user3
>> krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm
>> krbPrincipalName: user3 at MYREALM
>> givenName: user3
>> uid: user3
>> initials: uu
>> ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7
>> uidNumber: <UIDUSER3>
>> gidNumber: <GIDUSER3>
>> memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm
>> memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm
>> mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm
>> krbLastPwdChange: 20150923134438Z
>> krbPrincipalKey:: <BLABLABLA>
>> krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA==
>> krbLastSuccessfulAuth: 20150923120752Z
>> krbLastFailedAuth: 20150923132257Z
>> krbLoginFailedCount: 1
>> ###
>>
>> Then, with an admin ticket, I performed an ipa passwd user3 and I set a one
>> time password.
>> Then I connected with user3 and he was able to change its one time password
>> into something else.
>> And when I retried the ldapsearch command, the field userpassword was there.
>> But the keytab is not working anymore.
>>
>> So here is my question :
>> How can I generate a user with a keytab, a password and the userpassword
>> field in the ldap ?
>
> I do not think you can do that - by design. FreeIPA synchronizes Kerberos keys
> and the user password. So if you change password, existing keytab is
> invalidated. If you get a keytab, password is invalidated as random key is
> generated.
>
>> The ipa-getkeytab -P option allows me to have both keytab and the password,
>> but as the field userpassword is missing in the ldap, some other tools
>> using ldapbackend authentication does not work for this user.
>
> I assume this is not expected to work this way, but please let me CC Simo here,
> if there is a problem in processing the -P option.

userPassword should be generated when using ipa-getkeytab -P, if it is 
not, please file a bug.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York