Re: [Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd

2016-01-08 Thread bahan w 
Re.

Thank you for your answer, I forgot to re-add Freeipa-users mailing list.

So I cannot modify the userPassword only and when I generate a keytab with
ipa-getkeytab it doesn't update the userPassword.
Do you know if it is normal behaviour for ipa-getkeytab ? If not, was it
solved in a newer version of IPA ?

Best regards.

Bahan

On Fri, Jan 8, 2016 at 2:37 PM, Alexander Bokovoy 
wrote:

> On Fri, 08 Jan 2016, bahan w wrote:
>
>> Hello Alexander.
>>
>> Thank you for your answer.
>>
> Please don't ask in private, use freeipa-users@ mailing list.
>
> Is there a way to modify the field userPassword only ?
>> Do you know if ldappasswd modify something else ?
>>
> There is no way to modify userPassword attribute only. When you are
> modifying userPassword attribute in FreeIPA, IPA's password plugin will
> update all other password attributes, if there are any.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd

2016-01-08 Thread Alexander Bokovoy 

On Fri, 08 Jan 2016, bahan w wrote:

Hello !

I send you this mail, because I have a problem with a user who needs keytab
and password.
I already sent a mail some time ago, and the answer was to use the option
-P of the ipa-getkeytab command.

I'm still running IPA 3.0.0-42 with RHEL 6.6 for specific reasons and I
cannot move to earlier versions unfortunately.

Here is what do :

I create the user test001
###
ipa user-add --first=test --last=test test001
###

Initiate an OTP for user test001
###
ipa passwd test001 pwd001
###

Then I set a permanent password
###
kinit test001
Password for test001@MYREALM:
Password expired.  You must change it now.
Enter new password: pwd002pwd002
Enter it again: pwd002pwd002
###

Then I perform an ldapsearch :
###
ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h  -p 389 -W uid=test001
Enter LDAP Password:
###

It worked.

Then I generated a keytab for this user with a password :
###
ipa-getkeytab -s  -p test001 -k
/etc/security/keytabs/test001.headless.keytab -P
New Principal Password: pwd003pwd003
Verify Principal Password: pwd003pwd003
Keytab successfully retrieved and stored in:
/etc/security/keytabs/test001.headless.keytab
###

Then I perform a new ldapsearch
###
ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h  -p 389 -W uid=test001
Enter LDAP Password:
###

When I enter the password pwd003pwd003, it does not work with the following
result :
###
Enter LDAP Password:pwd003pwd003
ldap_bind: Invalid credentials (49)
###

When i use the old password pwd002pwd002, it works.

So my question :
When I create the ipa-getkeytab, how can I also set the password in the
ldap ?
May I use ldappasswd ?

When you are using ipa-getkeytab it only changes kerberos keys. It
is a separate attribute from userPassword.

When you run kpasswd or 'ipa passwd', those will cause updating all
password attributes thanks to special IPA password plugin that
synchronizes userPassword value with all other attributes.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd

2016-01-08 Thread bahan w 
Hello !

I send you this mail, because I have a problem with a user who needs keytab
and password.
I already sent a mail some time ago, and the answer was to use the option
-P of the ipa-getkeytab command.

I'm still running IPA 3.0.0-42 with RHEL 6.6 for specific reasons and I
cannot move to earlier versions unfortunately.

Here is what do :

I create the user test001
###
ipa user-add --first=test --last=test test001
###

Initiate an OTP for user test001
###
ipa passwd test001 pwd001
###

Then I set a permanent password
###
kinit test001
Password for test001@MYREALM:
Password expired.  You must change it now.
Enter new password: pwd002pwd002
Enter it again: pwd002pwd002
###

Then I perform an ldapsearch :
###
ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h  -p 389 -W uid=test001
Enter LDAP Password:
###

It worked.

Then I generated a keytab for this user with a password :
###
ipa-getkeytab -s  -p test001 -k
/etc/security/keytabs/test001.headless.keytab -P
New Principal Password: pwd003pwd003
Verify Principal Password: pwd003pwd003
Keytab successfully retrieved and stored in:
/etc/security/keytabs/test001.headless.keytab
###

Then I perform a new ldapsearch
###
ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h  -p 389 -W uid=test001
Enter LDAP Password:
###

When I enter the password pwd003pwd003, it does not work with the following
result :
###
Enter LDAP Password:pwd003pwd003
ldap_bind: Invalid credentials (49)
###

When i use the old password pwd002pwd002, it works.

So my question :
When I create the ipa-getkeytab, how can I also set the password in the
ldap ?
May I use ldappasswd ?

Best regards.

Bahan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd

2016-01-08 Thread Simo Sorce 
On Fri, 2016-01-08 at 15:49 +0100, bahan w wrote:
> Re.
> 
> Thank you for your answer, I forgot to re-add Freeipa-users mailing list.
> 
> So I cannot modify the userPassword only and when I generate a keytab with
> ipa-getkeytab it doesn't update the userPassword.
> Do you know if it is normal behaviour for ipa-getkeytab ? If not, was it
> solved in a newer version of IPA ?

Hi Bahan,
this is a behavior of the older getkeytab control, that is in used in
RHEL6 (ipa 3.x versions). Due to the way this operation was built we do
not get a clear text password on the server so we can't generate
userPassword Hashes.

In ipa4.x a better control has been introduced and userPassword is also
updated (as well as password policies are enforced) when a user uses
ipa-getkeytab.

On older server what you can do to keep using a password as well as a
keytab is to first set the password with kpasswd and the use
ipa-getkeytab with the same password to store a keytab. This should
leave things in sync IIRC.

HTH,
Simo.

> Best regards.
> 
> Bahan
> 
> On Fri, Jan 8, 2016 at 2:37 PM, Alexander Bokovoy 
> wrote:
> 
> > On Fri, 08 Jan 2016, bahan w wrote:
> >
> >> Hello Alexander.
> >>
> >> Thank you for your answer.
> >>
> > Please don't ask in private, use freeipa-users@ mailing list.
> >
> > Is there a way to modify the field userPassword only ?
> >> Do you know if ldappasswd modify something else ?
> >>
> > There is no way to modify userPassword attribute only. When you are
> > modifying userPassword attribute in FreeIPA, IPA's password plugin will
> > update all other password attributes, if there are any.
> >
> > --
> > / Alexander Bokovoy
> >
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project