[Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd

[Simo Sorce]

On Fri, 2016-01-08 at 15:49 +0100, bahan w wrote:
> Re.
> 
> Thank you for your answer, I forgot to re-add Freeipa-users mailing list.
> 
> So I cannot modify the userPassword only and when I generate a keytab with
> ipa-getkeytab it doesn't update the userPassword.
> Do you know if it is normal behaviour for ipa-getkeytab ? If not, was it
> solved in a newer version of IPA ?

Hi Bahan,
this is a behavior of the older getkeytab control, that is in used in
RHEL6 (ipa 3.x versions). Due to the way this operation was built we do
not get a clear text password on the server so we can't generate
userPassword Hashes.

In ipa4.x a better control has been introduced and userPassword is also
updated (as well as password policies are enforced) when a user uses
ipa-getkeytab.

On older server what you can do to keep using a password as well as a
keytab is to first set the password with kpasswd and the use
ipa-getkeytab with the same password to store a keytab. This should
leave things in sync IIRC.

HTH,
Simo.

> Best regards.
> 
> Bahan
> 
> On Fri, Jan 8, 2016 at 2:37 PM, Alexander Bokovoy <abokovoy at redhat.com>
> wrote:
> 
> > On Fri, 08 Jan 2016, bahan w wrote:
> >
> >> Hello Alexander.
> >>
> >> Thank you for your answer.
> >>
> > Please don't ask in private, use freeipa-users@ mailing list.
> >
> > Is there a way to modify the field userPassword only ?
> >> Do you know if ldappasswd modify something else ?
> >>
> > There is no way to modify userPassword attribute only. When you are
> > modifying userPassword attribute in FreeIPA, IPA's password plugin will
> > update all other password attributes, if there are any.
> >
> > --
> > / Alexander Bokovoy
> >
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Simo Sorce * Red Hat, Inc * New York