Re: [Freeipa-users] User, keytab, password and ldap
On 24/09/15 03:40, Martin Kosek wrote: On 09/23/2015 04:32 PM, bahan w wrote: Hello ! I'm using IPA 3.0.0 and I have a problem with one of the user I created. user3 I created this user with the command ipa user-add without specifying any password. Then I performed an ipa-getkeytab command with the -P option to have a keytab and a password. When I check the ldap server with the following command, I cannot find any "userpassword" field for this user. ldapsearch -v -x -D 'cn=Directory Manager' -W -h -p ### # user3, users, accounts, myrealm dn: uid=user3,cn=users,cn=accounts,dc=myrealm displayName: user3 user3 cn: user3 user3 objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh sn: user3 gecos: user3 user3 homeDirectory: /home/user3 krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm krbPrincipalName: user3@MYREALM givenName: user3 uid: user3 initials: uu ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7 uidNumber: gidNumber: memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm krbLastPwdChange: 20150923134438Z krbPrincipalKey:: krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA== krbLastSuccessfulAuth: 20150923120752Z krbLastFailedAuth: 20150923132257Z krbLoginFailedCount: 1 ### Then, with an admin ticket, I performed an ipa passwd user3 and I set a one time password. Then I connected with user3 and he was able to change its one time password into something else. And when I retried the ldapsearch command, the field userpassword was there. But the keytab is not working anymore. So here is my question : How can I generate a user with a keytab, a password and the userpassword field in the ldap ? I do not think you can do that - by design. FreeIPA synchronizes Kerberos keys and the user password. So if you change password, existing keytab is invalidated. If you get a keytab, password is invalidated as random key is generated. The ipa-getkeytab -P option allows me to have both keytab and the password, but as the field userpassword is missing in the ldap, some other tools using ldapbackend authentication does not work for this user. I assume this is not expected to work this way, but please let me CC Simo here, if there is a problem in processing the -P option. userPassword should be generated when using ipa-getkeytab -P, if it is not, please file a bug. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] User, keytab, password and ldap
Adding back freeipa-users. As for the -P option, I assume all it does is that it does not use random key when generating the keytab but rather the specified password. I do not know, however, if this non-random password can be used for normal LDAP BINDs and thus should be also added to userPassword attribute. I will also wait for Simo's advise and the a ticket can be filed if this is really a bug. On 09/24/2015 10:44 AM, bahan w wrote: > Thank you for your answer Martin. > I am very interested by the answer from Simo. > Because the ipa-getkeytab has this option -P specifically to have both a > keytab and a password, so it would make sense that this command should > update also the ldap for the user by adding this field userPassword no ? > > Best regards. > > Bahan > > On Thu, Sep 24, 2015 at 9:40 AM, Martin Kosek wrote: > >> On 09/23/2015 04:32 PM, bahan w wrote: >>> Hello ! >>> >>> I'm using IPA 3.0.0 and I have a problem with one of the user I created. >>> user3 >>> >>> I created this user with the command ipa user-add without specifying any >>> password. >>> Then I performed an ipa-getkeytab command with the -P option to have a >>> keytab and a password. >>> >>> When I check the ldap server with the following command, I cannot find >> any >>> "userpassword" field for this user. >>> ldapsearch -v -x -D 'cn=Directory Manager' -W -h -p >>> >>> ### >>> # user3, users, accounts, myrealm >>> dn: uid=user3,cn=users,cn=accounts,dc=myrealm >>> displayName: user3 user3 >>> cn: user3 user3 >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalperson >>> objectClass: inetorgperson >>> objectClass: inetuser >>> objectClass: posixaccount >>> objectClass: krbprincipalaux >>> objectClass: krbticketpolicyaux >>> objectClass: ipaobject >>> objectClass: ipasshuser >>> objectClass: ipaSshGroupOfPubKeys >>> objectClass: mepOriginEntry >>> loginShell: /bin/sh >>> sn: user3 >>> gecos: user3 user3 >>> homeDirectory: /home/user3 >>> krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm >>> krbPrincipalName: user3@MYREALM >>> givenName: user3 >>> uid: user3 >>> initials: uu >>> ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7 >>> uidNumber: >>> gidNumber: >>> memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm >>> memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm >>> mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm >>> krbLastPwdChange: 20150923134438Z >>> krbPrincipalKey:: >>> krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA== >>> krbLastSuccessfulAuth: 20150923120752Z >>> krbLastFailedAuth: 20150923132257Z >>> krbLoginFailedCount: 1 >>> ### >>> >>> Then, with an admin ticket, I performed an ipa passwd user3 and I set a >> one >>> time password. >>> Then I connected with user3 and he was able to change its one time >> password >>> into something else. >>> And when I retried the ldapsearch command, the field userpassword was >> there. >>> But the keytab is not working anymore. >>> >>> So here is my question : >>> How can I generate a user with a keytab, a password and the userpassword >>> field in the ldap ? >> >> I do not think you can do that - by design. FreeIPA synchronizes Kerberos >> keys >> and the user password. So if you change password, existing keytab is >> invalidated. If you get a keytab, password is invalidated as random key is >> generated. >> >>> The ipa-getkeytab -P option allows me to have both keytab and the >> password, >>> but as the field userpassword is missing in the ldap, some other tools >>> using ldapbackend authentication does not work for this user. >> >> I assume this is not expected to work this way, but please let me CC Simo >> here, >> if there is a problem in processing the -P option. >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] User, keytab, password and ldap
On 09/23/2015 04:32 PM, bahan w wrote: > Hello ! > > I'm using IPA 3.0.0 and I have a problem with one of the user I created. > user3 > > I created this user with the command ipa user-add without specifying any > password. > Then I performed an ipa-getkeytab command with the -P option to have a > keytab and a password. > > When I check the ldap server with the following command, I cannot find any > "userpassword" field for this user. > ldapsearch -v -x -D 'cn=Directory Manager' -W -h -p > > ### > # user3, users, accounts, myrealm > dn: uid=user3,cn=users,cn=accounts,dc=myrealm > displayName: user3 user3 > cn: user3 user3 > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetorgperson > objectClass: inetuser > objectClass: posixaccount > objectClass: krbprincipalaux > objectClass: krbticketpolicyaux > objectClass: ipaobject > objectClass: ipasshuser > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > loginShell: /bin/sh > sn: user3 > gecos: user3 user3 > homeDirectory: /home/user3 > krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm > krbPrincipalName: user3@MYREALM > givenName: user3 > uid: user3 > initials: uu > ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7 > uidNumber: > gidNumber: > memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm > memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm > mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm > krbLastPwdChange: 20150923134438Z > krbPrincipalKey:: > krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA== > krbLastSuccessfulAuth: 20150923120752Z > krbLastFailedAuth: 20150923132257Z > krbLoginFailedCount: 1 > ### > > Then, with an admin ticket, I performed an ipa passwd user3 and I set a one > time password. > Then I connected with user3 and he was able to change its one time password > into something else. > And when I retried the ldapsearch command, the field userpassword was there. > But the keytab is not working anymore. > > So here is my question : > How can I generate a user with a keytab, a password and the userpassword > field in the ldap ? I do not think you can do that - by design. FreeIPA synchronizes Kerberos keys and the user password. So if you change password, existing keytab is invalidated. If you get a keytab, password is invalidated as random key is generated. > The ipa-getkeytab -P option allows me to have both keytab and the password, > but as the field userpassword is missing in the ldap, some other tools > using ldapbackend authentication does not work for this user. I assume this is not expected to work this way, but please let me CC Simo here, if there is a problem in processing the -P option. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] User, keytab, password and ldap
Hello ! I'm using IPA 3.0.0 and I have a problem with one of the user I created. user3 I created this user with the command ipa user-add without specifying any password. Then I performed an ipa-getkeytab command with the -P option to have a keytab and a password. When I check the ldap server with the following command, I cannot find any "userpassword" field for this user. ldapsearch -v -x -D 'cn=Directory Manager' -W -h -p ### # user3, users, accounts, myrealm dn: uid=user3,cn=users,cn=accounts,dc=myrealm displayName: user3 user3 cn: user3 user3 objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh sn: user3 gecos: user3 user3 homeDirectory: /home/user3 krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm krbPrincipalName: user3@MYREALM givenName: user3 uid: user3 initials: uu ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7 uidNumber: gidNumber: memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm krbLastPwdChange: 20150923134438Z krbPrincipalKey:: krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA== krbLastSuccessfulAuth: 20150923120752Z krbLastFailedAuth: 20150923132257Z krbLoginFailedCount: 1 ### Then, with an admin ticket, I performed an ipa passwd user3 and I set a one time password. Then I connected with user3 and he was able to change its one time password into something else. And when I retried the ldapsearch command, the field userpassword was there. But the keytab is not working anymore. So here is my question : How can I generate a user with a keytab, a password and the userpassword field in the ldap ? The ipa-getkeytab -P option allows me to have both keytab and the password, but as the field userpassword is missing in the ldap, some other tools using ldapbackend authentication does not work for this user. Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project