On Fri, 2016-01-08 at 15:49 +0100, bahan w wrote: > Re. > > Thank you for your answer, I forgot to re-add Freeipa-users mailing list. > > So I cannot modify the userPassword only and when I generate a keytab with > ipa-getkeytab it doesn't update the userPassword. > Do you know if it is normal behaviour for ipa-getkeytab ? If not, was it > solved in a newer version of IPA ?
Hi Bahan, this is a behavior of the older getkeytab control, that is in used in RHEL6 (ipa 3.x versions). Due to the way this operation was built we do not get a clear text password on the server so we can't generate userPassword Hashes. In ipa4.x a better control has been introduced and userPassword is also updated (as well as password policies are enforced) when a user uses ipa-getkeytab. On older server what you can do to keep using a password as well as a keytab is to first set the password with kpasswd and the use ipa-getkeytab with the same password to store a keytab. This should leave things in sync IIRC. HTH, Simo. > Best regards. > > Bahan > > On Fri, Jan 8, 2016 at 2:37 PM, Alexander Bokovoy <[email protected]> > wrote: > > > On Fri, 08 Jan 2016, bahan w wrote: > > > >> Hello Alexander. > >> > >> Thank you for your answer. > >> > > Please don't ask in private, use freeipa-users@ mailing list. > > > > Is there a way to modify the field userPassword only ? > >> Do you know if ldappasswd modify something else ? > >> > > There is no way to modify userPassword attribute only. When you are > > modifying userPassword attribute in FreeIPA, IPA's password plugin will > > update all other password attributes, if there are any. > > > > -- > > / Alexander Bokovoy > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
