On Fri, 08 Jan 2016, bahan w wrote:
Hello !

I send you this mail, because I have a problem with a user who needs keytab
and password.
I already sent a mail some time ago, and the answer was to use the option
-P of the ipa-getkeytab command.

I'm still running IPA 3.0.0-42 with RHEL 6.6 for specific reasons and I
cannot move to earlier versions unfortunately.

Here is what do :

I create the user test001
###
ipa user-add --first=test --last=test test001
###

Initiate an OTP for user test001
###
ipa passwd test001 pwd001
###

Then I set a permanent password
###
kinit test001
Password for test001@MYREALM:
Password expired.  You must change it now.
Enter new password: pwd002pwd002
Enter it again: pwd002pwd002
###

Then I perform an ldapsearch :
###
ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h <ipa fqdn
server> -p 389 -W uid=test001
Enter LDAP Password:
###

It worked.

Then I generated a keytab for this user with a password :
###
ipa-getkeytab -s <fqdn ipa server> -p test001 -k
/etc/security/keytabs/test001.headless.keytab -P
New Principal Password: pwd003pwd003
Verify Principal Password: pwd003pwd003
Keytab successfully retrieved and stored in:
/etc/security/keytabs/test001.headless.keytab
###

Then I perform a new ldapsearch
###
ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h <ipa fqdn
server> -p 389 -W uid=test001
Enter LDAP Password:
###

When I enter the password pwd003pwd003, it does not work with the following
result :
###
Enter LDAP Password:pwd003pwd003
ldap_bind: Invalid credentials (49)
###

When i use the old password pwd002pwd002, it works.

So my question :
When I create the ipa-getkeytab, how can I also set the password in the
ldap ?
May I use ldappasswd ?
When you are using ipa-getkeytab it only changes kerberos keys. It
is a separate attribute from userPassword.

When you run kpasswd or 'ipa passwd', those will cause updating all
password attributes thanks to special IPA password plugin that
synchronizes userPassword value with all other attributes.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to