Re: [Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd
Re. Thank you for your answer, I forgot to re-add Freeipa-users mailing list. So I cannot modify the userPassword only and when I generate a keytab with ipa-getkeytab it doesn't update the userPassword. Do you know if it is normal behaviour for ipa-getkeytab ? If not, was it solved in a newer version of IPA ? Best regards. Bahan On Fri, Jan 8, 2016 at 2:37 PM, Alexander Bokovoywrote: > On Fri, 08 Jan 2016, bahan w wrote: > >> Hello Alexander. >> >> Thank you for your answer. >> > Please don't ask in private, use freeipa-users@ mailing list. > > Is there a way to modify the field userPassword only ? >> Do you know if ldappasswd modify something else ? >> > There is no way to modify userPassword attribute only. When you are > modifying userPassword attribute in FreeIPA, IPA's password plugin will > update all other password attributes, if there are any. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd
On Fri, 08 Jan 2016, bahan w wrote: Hello ! I send you this mail, because I have a problem with a user who needs keytab and password. I already sent a mail some time ago, and the answer was to use the option -P of the ipa-getkeytab command. I'm still running IPA 3.0.0-42 with RHEL 6.6 for specific reasons and I cannot move to earlier versions unfortunately. Here is what do : I create the user test001 ### ipa user-add --first=test --last=test test001 ### Initiate an OTP for user test001 ### ipa passwd test001 pwd001 ### Then I set a permanent password ### kinit test001 Password for test001@MYREALM: Password expired. You must change it now. Enter new password: pwd002pwd002 Enter it again: pwd002pwd002 ### Then I perform an ldapsearch : ### ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h -p 389 -W uid=test001 Enter LDAP Password: ### It worked. Then I generated a keytab for this user with a password : ### ipa-getkeytab -s -p test001 -k /etc/security/keytabs/test001.headless.keytab -P New Principal Password: pwd003pwd003 Verify Principal Password: pwd003pwd003 Keytab successfully retrieved and stored in: /etc/security/keytabs/test001.headless.keytab ### Then I perform a new ldapsearch ### ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h -p 389 -W uid=test001 Enter LDAP Password: ### When I enter the password pwd003pwd003, it does not work with the following result : ### Enter LDAP Password:pwd003pwd003 ldap_bind: Invalid credentials (49) ### When i use the old password pwd002pwd002, it works. So my question : When I create the ipa-getkeytab, how can I also set the password in the ldap ? May I use ldappasswd ? When you are using ipa-getkeytab it only changes kerberos keys. It is a separate attribute from userPassword. When you run kpasswd or 'ipa passwd', those will cause updating all password attributes thanks to special IPA password plugin that synchronizes userPassword value with all other attributes. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd
Hello ! I send you this mail, because I have a problem with a user who needs keytab and password. I already sent a mail some time ago, and the answer was to use the option -P of the ipa-getkeytab command. I'm still running IPA 3.0.0-42 with RHEL 6.6 for specific reasons and I cannot move to earlier versions unfortunately. Here is what do : I create the user test001 ### ipa user-add --first=test --last=test test001 ### Initiate an OTP for user test001 ### ipa passwd test001 pwd001 ### Then I set a permanent password ### kinit test001 Password for test001@MYREALM: Password expired. You must change it now. Enter new password: pwd002pwd002 Enter it again: pwd002pwd002 ### Then I perform an ldapsearch : ### ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h -p 389 -W uid=test001 Enter LDAP Password: ### It worked. Then I generated a keytab for this user with a password : ### ipa-getkeytab -s -p test001 -k /etc/security/keytabs/test001.headless.keytab -P New Principal Password: pwd003pwd003 Verify Principal Password: pwd003pwd003 Keytab successfully retrieved and stored in: /etc/security/keytabs/test001.headless.keytab ### Then I perform a new ldapsearch ### ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h -p 389 -W uid=test001 Enter LDAP Password: ### When I enter the password pwd003pwd003, it does not work with the following result : ### Enter LDAP Password:pwd003pwd003 ldap_bind: Invalid credentials (49) ### When i use the old password pwd002pwd002, it works. So my question : When I create the ipa-getkeytab, how can I also set the password in the ldap ? May I use ldappasswd ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd
On Fri, 2016-01-08 at 15:49 +0100, bahan w wrote: > Re. > > Thank you for your answer, I forgot to re-add Freeipa-users mailing list. > > So I cannot modify the userPassword only and when I generate a keytab with > ipa-getkeytab it doesn't update the userPassword. > Do you know if it is normal behaviour for ipa-getkeytab ? If not, was it > solved in a newer version of IPA ? Hi Bahan, this is a behavior of the older getkeytab control, that is in used in RHEL6 (ipa 3.x versions). Due to the way this operation was built we do not get a clear text password on the server so we can't generate userPassword Hashes. In ipa4.x a better control has been introduced and userPassword is also updated (as well as password policies are enforced) when a user uses ipa-getkeytab. On older server what you can do to keep using a password as well as a keytab is to first set the password with kpasswd and the use ipa-getkeytab with the same password to store a keytab. This should leave things in sync IIRC. HTH, Simo. > Best regards. > > Bahan > > On Fri, Jan 8, 2016 at 2:37 PM, Alexander Bokovoy> wrote: > > > On Fri, 08 Jan 2016, bahan w wrote: > > > >> Hello Alexander. > >> > >> Thank you for your answer. > >> > > Please don't ask in private, use freeipa-users@ mailing list. > > > > Is there a way to modify the field userPassword only ? > >> Do you know if ldappasswd modify something else ? > >> > > There is no way to modify userPassword attribute only. When you are > > modifying userPassword attribute in FreeIPA, IPA's password plugin will > > update all other password attributes, if there are any. > > > > -- > > / Alexander Bokovoy > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project