Hello ! I send you this mail, because I have a problem with a user who needs keytab and password. I already sent a mail some time ago, and the answer was to use the option -P of the ipa-getkeytab command.
I'm still running IPA 3.0.0-42 with RHEL 6.6 for specific reasons and I cannot move to earlier versions unfortunately. Here is what do : I create the user test001 ### ipa user-add --first=test --last=test test001 ### Initiate an OTP for user test001 ### ipa passwd test001 pwd001 ### Then I set a permanent password ### kinit test001 Password for test001@MYREALM: Password expired. You must change it now. Enter new password: pwd002pwd002 Enter it again: pwd002pwd002 ### Then I perform an ldapsearch : ### ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h <ipa fqdn server> -p 389 -W uid=test001 Enter LDAP Password: ### It worked. Then I generated a keytab for this user with a password : ### ipa-getkeytab -s <fqdn ipa server> -p test001 -k /etc/security/keytabs/test001.headless.keytab -P New Principal Password: pwd003pwd003 Verify Principal Password: pwd003pwd003 Keytab successfully retrieved and stored in: /etc/security/keytabs/test001.headless.keytab ### Then I perform a new ldapsearch ### ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h <ipa fqdn server> -p 389 -W uid=test001 Enter LDAP Password: ### When I enter the password pwd003pwd003, it does not work with the following result : ### Enter LDAP Password:pwd003pwd003 ldap_bind: Invalid credentials (49) ### When i use the old password pwd002pwd002, it works. So my question : When I create the ipa-getkeytab, how can I also set the password in the ldap ? May I use ldappasswd ? Best regards. Bahan
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project