On 09/23/2015 04:32 PM, bahan w wrote: > Hello ! > > I'm using IPA 3.0.0 and I have a problem with one of the user I created. > user3 > > I created this user with the command ipa user-add without specifying any > password. > Then I performed an ipa-getkeytab command with the -P option to have a > keytab and a password. > > When I check the ldap server with the following command, I cannot find any > "userpassword" field for this user. > ldapsearch -v -x -D 'cn=Directory Manager' -W -h <IPASERVER> -p <PORT> > > ### > # user3, users, accounts, myrealm > dn: uid=user3,cn=users,cn=accounts,dc=myrealm > displayName: user3 user3 > cn: user3 user3 > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetorgperson > objectClass: inetuser > objectClass: posixaccount > objectClass: krbprincipalaux > objectClass: krbticketpolicyaux > objectClass: ipaobject > objectClass: ipasshuser > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > loginShell: /bin/sh > sn: user3 > gecos: user3 user3 > homeDirectory: /home/user3 > krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm > krbPrincipalName: user3@MYREALM > givenName: user3 > uid: user3 > initials: uu > ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7 > uidNumber: <UIDUSER3> > gidNumber: <GIDUSER3> > memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm > memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm > mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm > krbLastPwdChange: 20150923134438Z > krbPrincipalKey:: <BLABLABLA> > krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA== > krbLastSuccessfulAuth: 20150923120752Z > krbLastFailedAuth: 20150923132257Z > krbLoginFailedCount: 1 > ### > > Then, with an admin ticket, I performed an ipa passwd user3 and I set a one > time password. > Then I connected with user3 and he was able to change its one time password > into something else. > And when I retried the ldapsearch command, the field userpassword was there. > But the keytab is not working anymore. > > So here is my question : > How can I generate a user with a keytab, a password and the userpassword > field in the ldap ?
I do not think you can do that - by design. FreeIPA synchronizes Kerberos keys and the user password. So if you change password, existing keytab is invalidated. If you get a keytab, password is invalidated as random key is generated. > The ipa-getkeytab -P option allows me to have both keytab and the password, > but as the field userpassword is missing in the ldap, some other tools > using ldapbackend authentication does not work for this user. I assume this is not expected to work this way, but please let me CC Simo here, if there is a problem in processing the -P option. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project