[Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd
Alexander Bokovoy
abokovoy at redhat.com
Fri Jan 8 13:13:51 UTC 2016
On Fri, 08 Jan 2016, bahan w wrote:
>Hello !
>
>I send you this mail, because I have a problem with a user who needs keytab
>and password.
>I already sent a mail some time ago, and the answer was to use the option
>-P of the ipa-getkeytab command.
>
>I'm still running IPA 3.0.0-42 with RHEL 6.6 for specific reasons and I
>cannot move to earlier versions unfortunately.
>
>Here is what do :
>
>I create the user test001
>###
>ipa user-add --first=test --last=test test001
>###
>
>Initiate an OTP for user test001
>###
>ipa passwd test001 pwd001
>###
>
>Then I set a permanent password
>###
>kinit test001
>Password for test001 at MYREALM:
>Password expired. You must change it now.
>Enter new password: pwd002pwd002
>Enter it again: pwd002pwd002
>###
>
>Then I perform an ldapsearch :
>###
>ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h <ipa fqdn
>server> -p 389 -W uid=test001
>Enter LDAP Password:
>###
>
>It worked.
>
>Then I generated a keytab for this user with a password :
>###
>ipa-getkeytab -s <fqdn ipa server> -p test001 -k
>/etc/security/keytabs/test001.headless.keytab -P
>New Principal Password: pwd003pwd003
>Verify Principal Password: pwd003pwd003
>Keytab successfully retrieved and stored in:
>/etc/security/keytabs/test001.headless.keytab
>###
>
>Then I perform a new ldapsearch
>###
>ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h <ipa fqdn
>server> -p 389 -W uid=test001
>Enter LDAP Password:
>###
>
>When I enter the password pwd003pwd003, it does not work with the following
>result :
>###
>Enter LDAP Password:pwd003pwd003
>ldap_bind: Invalid credentials (49)
>###
>
>When i use the old password pwd002pwd002, it works.
>
>So my question :
>When I create the ipa-getkeytab, how can I also set the password in the
>ldap ?
>May I use ldappasswd ?
When you are using ipa-getkeytab it only changes kerberos keys. It
is a separate attribute from userPassword.
When you run kpasswd or 'ipa passwd', those will cause updating all
password attributes thanks to special IPA password plugin that
synchronizes userPassword value with all other attributes.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list