On 06/01/2015 11:36 AM, Bob Hinton wrote:
On 01/06/2015 09:55, Petr Vobornik wrote:
On 05/31/2015 12:21 PM, Bob Hinton wrote:
Hello,
I've written a Ruby script to add IPA users from CSV files. This works
fine when specifying a username and password. However, using a keytab
produces an error (see below). This seems to happen whatever I put in
the keytab file.
Any suggestions ?
The VM in question has had its database restored using ipa-restore a
number of times, so I don't know if this is a factor.
Thanks
Bob
-sh-4.2$ ./ipa-import-users -h
Usage ipa-import-users [options] file1.csv ...
-u, --user USER Kerberos principal that can add
users
-p, --password PASSWORD Password for the above
-k, --keytab KEYTAB Login with the specified keytab
instead of user and pass
-v, --verbose enable verbose mode
-d, --debug enable debug mode
-c, --check check input files without
applying them
-sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab example_users_file.csv
Importing file example_users_file.csv...
header line ["Username", " First Name", " Last Name", " Email Address",
" Password"]
Line 2 is ["auser", "Another", "User", "au...@test.com", "pass"]
username auser already defined
Line 3 is ["james23", "James", "Jones", "jamesjo...@somewhere.com",
"secrets2"]
echo "secrets2" | ipa user-add james23 --first="James" --last="Jones"
--email="jamesjo...@somewhere.com" --password 2>&1
Problem with file example_users_file.csv ipa error on james23 - ipa:
ERROR: Insufficient access: Could not read UPG Definition originfilter.
Check your permissions.
-sh-4.2$ klist -kt ipa004.keytab
Keytab name: FILE:ipa004.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
2 18/05/15 14:23:24 host/ipa004.jackland...@test.jackland.uk
2 18/05/15 14:23:24 host/ipa004.jackland...@test.jackland.uk
2 18/05/15 14:23:24 host/ipa004.jackland...@test.jackland.uk
2 18/05/15 14:23:24 host/ipa004.jackland...@test.jackland.uk
4 31/05/15 10:55:37 userad...@test.jackland.uk
4 31/05/15 10:55:37 userad...@test.jackland.uk
4 31/05/15 10:55:37 userad...@test.jackland.uk
4 31/05/15 10:55:37 userad...@test.jackland.uk
How does the script obtain ticket granting ticket if keytab is used?
Does it run just:
kinit -k
If so then it will get TGT for principal:
host/ipa004.jackland...@test.jackland.uk and not for
userad...@test.jackland.uk . By default hosts don't have permissions
to add users.
It uses kinit -kt. I got a "no suitable keys" error when the keytab only
included useradder so I included the host to get around this (see below).
-sh-4.2$ klist -kt useradder.keytab
Keytab name: FILE:useradder.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
3 31/05/15 10:37:07 userad...@test.jackland.uk
3 31/05/15 10:37:07 userad...@test.jackland.uk
3 31/05/15 10:37:07 userad...@test.jackland.uk
3 31/05/15 10:37:07 userad...@test.jackland.uk
-sh-4.2$ kinit -kt useradder.keytab
kinit: Keytab contains no suitable keys for
host/ipa004.test.jackland...@test.jackland.uk while getting initial
credentials
Default principal is used when klist -kt is called without specifying
the principal. Default principal is the local host principal. That is
the reason why you are able to get TGT if you add the host principal
into the keytab. But, as I wrote, this principal doesn't have rights to
add users.
Correct way is:
kinit -k -t useradder.keytab userad...@test.jackland.uk
-sh-4.2$
-sh-4.2$
Installed Packages
Name : ipa-server
Arch : x86_64
Version : 4.1.0
Release : 18.el7_1.3
Size : 4.2 M
Repo : installed
From repo : rhel-7-server-rpms
Summary : The IPA authentication server
URL : http://www.freeipa.org/
Licence : GPLv3+
Description : IPA is an integrated solution to provide centrally managed
Identity (machine,
: user, virtual machines, groups, authentication
credentials), Policy
: (configuration settings, access control information) and
Audit (events,
: logs, analysis thereof). If you are installing an IPA
server you need
: to install this package (in other words, most people
should NOT install
: this package).
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
