On Mon, 01 Jun 2015, Bob Hinton wrote:
On 01/06/2015 09:55, Petr Vobornik wrote:
On 05/31/2015 12:21 PM, Bob Hinton wrote:
Hello,

I've written a Ruby script to add IPA users from CSV files. This works
fine when specifying a username and password. However, using a keytab
produces an error (see below). This seems to happen whatever I put in
the keytab file.

Any suggestions ?

The VM in question has had its database restored using ipa-restore a
number of times, so I don't know if this is a factor.

Thanks

Bob

-sh-4.2$ ./ipa-import-users -h
Usage ipa-import-users [options] file1.csv ...
     -u, --user USER                  Kerberos principal that can add
users
     -p, --password PASSWORD          Password for the above
     -k, --keytab KEYTAB              Login with the specified keytab
instead of user and pass
     -v, --verbose                    enable verbose mode
     -d, --debug                      enable debug mode
     -c, --check                      check input files without
applying them
-sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab example_users_file.csv
Importing file example_users_file.csv...
header line ["Username", " First Name", " Last Name", " Email Address",
" Password"]
Line 2 is ["auser", "Another", "User", "au...@test.com", "pass"]
username auser already defined
Line 3 is ["james23", "James", "Jones", "jamesjo...@somewhere.com",
"secrets2"]
echo "secrets2" | ipa user-add james23 --first="James" --last="Jones"
--email="jamesjo...@somewhere.com" --password 2>&1
Problem with file example_users_file.csv ipa error on james23 - ipa:
ERROR: Insufficient access: Could not read UPG Definition originfilter.
Check your permissions.
-sh-4.2$ klist -kt ipa004.keytab
Keytab name: FILE:ipa004.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
    2 18/05/15 14:23:24 host/ipa004.jackland...@test.jackland.uk
    2 18/05/15 14:23:24 host/ipa004.jackland...@test.jackland.uk
    2 18/05/15 14:23:24 host/ipa004.jackland...@test.jackland.uk
    2 18/05/15 14:23:24 host/ipa004.jackland...@test.jackland.uk
    4 31/05/15 10:55:37 userad...@test.jackland.uk
    4 31/05/15 10:55:37 userad...@test.jackland.uk
    4 31/05/15 10:55:37 userad...@test.jackland.uk
    4 31/05/15 10:55:37 userad...@test.jackland.uk


How does the script obtain ticket granting ticket if keytab is used?
Does it run just:

  kinit -k

If so then it will get TGT for principal:
host/ipa004.jackland...@test.jackland.uk and not for
userad...@test.jackland.uk . By default hosts don't have permissions
to add users.



It uses kinit -kt. I got a "no suitable keys" error when the keytab only
included useradder so I included the host to get around this (see below).

-sh-4.2$ klist -kt useradder.keytab
Keytab name: FILE:useradder.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
  3 31/05/15 10:37:07 userad...@test.jackland.uk
  3 31/05/15 10:37:07 userad...@test.jackland.uk
  3 31/05/15 10:37:07 userad...@test.jackland.uk
  3 31/05/15 10:37:07 userad...@test.jackland.uk
-sh-4.2$ kinit -kt useradder.keytab
kinit: Keytab contains no suitable keys for
host/ipa004.test.jackland...@test.jackland.uk while getting initial
credentials
And that is correct because 'kinit -k' defaults to host/fqdn.hostname
principal if principal is not specified.

kinit -k -t useradder.keytab userad...@test.jackland.uk

would be the correct way to call it.

See manual page for kinit for more details.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to