Adding back freeipa-users. As for the -P option, I assume all it does is that it does not use random key when generating the keytab but rather the specified password.
I do not know, however, if this non-random password can be used for normal LDAP BINDs and thus should be also added to userPassword attribute. I will also wait for Simo's advise and the a ticket can be filed if this is really a bug. On 09/24/2015 10:44 AM, bahan w wrote: > Thank you for your answer Martin. > I am very interested by the answer from Simo. > Because the ipa-getkeytab has this option -P specifically to have both a > keytab and a password, so it would make sense that this command should > update also the ldap for the user by adding this field userPassword no ? > > Best regards. > > Bahan > > On Thu, Sep 24, 2015 at 9:40 AM, Martin Kosek <[email protected]> wrote: > >> On 09/23/2015 04:32 PM, bahan w wrote: >>> Hello ! >>> >>> I'm using IPA 3.0.0 and I have a problem with one of the user I created. >>> user3 >>> >>> I created this user with the command ipa user-add without specifying any >>> password. >>> Then I performed an ipa-getkeytab command with the -P option to have a >>> keytab and a password. >>> >>> When I check the ldap server with the following command, I cannot find >> any >>> "userpassword" field for this user. >>> ldapsearch -v -x -D 'cn=Directory Manager' -W -h <IPASERVER> -p <PORT> >>> >>> ### >>> # user3, users, accounts, myrealm >>> dn: uid=user3,cn=users,cn=accounts,dc=myrealm >>> displayName: user3 user3 >>> cn: user3 user3 >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalperson >>> objectClass: inetorgperson >>> objectClass: inetuser >>> objectClass: posixaccount >>> objectClass: krbprincipalaux >>> objectClass: krbticketpolicyaux >>> objectClass: ipaobject >>> objectClass: ipasshuser >>> objectClass: ipaSshGroupOfPubKeys >>> objectClass: mepOriginEntry >>> loginShell: /bin/sh >>> sn: user3 >>> gecos: user3 user3 >>> homeDirectory: /home/user3 >>> krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm >>> krbPrincipalName: user3@MYREALM >>> givenName: user3 >>> uid: user3 >>> initials: uu >>> ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7 >>> uidNumber: <UIDUSER3> >>> gidNumber: <GIDUSER3> >>> memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm >>> memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm >>> mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm >>> krbLastPwdChange: 20150923134438Z >>> krbPrincipalKey:: <BLABLABLA> >>> krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA== >>> krbLastSuccessfulAuth: 20150923120752Z >>> krbLastFailedAuth: 20150923132257Z >>> krbLoginFailedCount: 1 >>> ### >>> >>> Then, with an admin ticket, I performed an ipa passwd user3 and I set a >> one >>> time password. >>> Then I connected with user3 and he was able to change its one time >> password >>> into something else. >>> And when I retried the ldapsearch command, the field userpassword was >> there. >>> But the keytab is not working anymore. >>> >>> So here is my question : >>> How can I generate a user with a keytab, a password and the userpassword >>> field in the ldap ? >> >> I do not think you can do that - by design. FreeIPA synchronizes Kerberos >> keys >> and the user password. So if you change password, existing keytab is >> invalidated. If you get a keytab, password is invalidated as random key is >> generated. >> >>> The ipa-getkeytab -P option allows me to have both keytab and the >> password, >>> but as the field userpassword is missing in the ldap, some other tools >>> using ldapbackend authentication does not work for this user. >> >> I assume this is not expected to work this way, but please let me CC Simo >> here, >> if there is a problem in processing the -P option. >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
