On 24/09/15 03:40, Martin Kosek wrote:
On 09/23/2015 04:32 PM, bahan w wrote:
Hello !

I'm using IPA 3.0.0 and I have a problem with one of the user I created.

I created this user with the command ipa user-add without specifying any
Then I performed an ipa-getkeytab command with the -P option to have a
keytab and a password.

When I check the ldap server with the following command, I cannot find any
"userpassword" field for this user.
ldapsearch -v -x -D 'cn=Directory Manager' -W -h <IPASERVER> -p <PORT>

# user3, users, accounts, myrealm
dn: uid=user3,cn=users,cn=accounts,dc=myrealm
displayName: user3 user3
cn: user3 user3
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
sn: user3
gecos: user3 user3
homeDirectory: /home/user3
krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm
krbPrincipalName: user3@MYREALM
givenName: user3
uid: user3
initials: uu
ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7
uidNumber: <UIDUSER3>
gidNumber: <GIDUSER3>
memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm
memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm
mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm
krbLastPwdChange: 20150923134438Z
krbPrincipalKey:: <BLABLABLA>
krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA==
krbLastSuccessfulAuth: 20150923120752Z
krbLastFailedAuth: 20150923132257Z
krbLoginFailedCount: 1

Then, with an admin ticket, I performed an ipa passwd user3 and I set a one
time password.
Then I connected with user3 and he was able to change its one time password
into something else.
And when I retried the ldapsearch command, the field userpassword was there.
But the keytab is not working anymore.

So here is my question :
How can I generate a user with a keytab, a password and the userpassword
field in the ldap ?

I do not think you can do that - by design. FreeIPA synchronizes Kerberos keys
and the user password. So if you change password, existing keytab is
invalidated. If you get a keytab, password is invalidated as random key is

The ipa-getkeytab -P option allows me to have both keytab and the password,
but as the field userpassword is missing in the ldap, some other tools
using ldapbackend authentication does not work for this user.

I assume this is not expected to work this way, but please let me CC Simo here,
if there is a problem in processing the -P option.

userPassword should be generated when using ipa-getkeytab -P, if it is not, please file a bug.


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to