On 24/09/15 03:40, Martin Kosek wrote:
On 09/23/2015 04:32 PM, bahan w wrote:
I'm using IPA 3.0.0 and I have a problem with one of the user I created.
I created this user with the command ipa user-add without specifying any
Then I performed an ipa-getkeytab command with the -P option to have a
keytab and a password.
When I check the ldap server with the following command, I cannot find any
"userpassword" field for this user.
ldapsearch -v -x -D 'cn=Directory Manager' -W -h <IPASERVER> -p <PORT>
# user3, users, accounts, myrealm
displayName: user3 user3
cn: user3 user3
gecos: user3 user3
Then, with an admin ticket, I performed an ipa passwd user3 and I set a one
Then I connected with user3 and he was able to change its one time password
into something else.
And when I retried the ldapsearch command, the field userpassword was there.
But the keytab is not working anymore.
So here is my question :
How can I generate a user with a keytab, a password and the userpassword
field in the ldap ?
I do not think you can do that - by design. FreeIPA synchronizes Kerberos keys
and the user password. So if you change password, existing keytab is
invalidated. If you get a keytab, password is invalidated as random key is
The ipa-getkeytab -P option allows me to have both keytab and the password,
but as the field userpassword is missing in the ldap, some other tools
using ldapbackend authentication does not work for this user.
I assume this is not expected to work this way, but please let me CC Simo here,
if there is a problem in processing the -P option.
userPassword should be generated when using ipa-getkeytab -P, if it is
not, please file a bug.
Simo Sorce * Red Hat, Inc * New York
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project