[Freeipa-users] Re: kadmin help when using LDAP db (MIT kerberos)

Robert Marcano robert at marcanoonline.com
Sun Nov 16 19:11:21 UTC 2008 

On Fri, 2008-11-14 at 12:12 -0500, Simo Sorce wrote: 
> On Fri, 2008-11-14 at 12:26 -0430, Robert Marcano wrote:
> > I am relatively new to kerberos, and as part of the installation of
> > freeipa, I am writing a script to be used by Samba for password changes.
> > I read about kadmin.local but the man pages says
> > 
> > "If the database is LDAP, kadmin.local need not be run on the KDC."
> > 
> > so I am unable to use it instead of kadmin that requires a password that
> > I do not understand very well how to supply, The fist time I started the
> > kadmin service on a CentOS server, it says it was adding a few
> > principals with these two commands
> > 
> > 
> > /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin${KRB5REALM:+@$KRB5REALM} kadmin/changepw${KRB5REALM:+@$KRB5REALM}"
> > /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/`hostname`${KRB5REALM:+@$KRB5REALM}" 2> /dev/null && success
> 
> If you read freeipa documentation you will see that using kadmin or
> kadmin.local is discouraged if you do not know exactly what you are
> doing.

Umm. maybe the freeipa installer script must call "chkconfig --del
kadmin" and move it out of init.d, maybe I will not be the only one that
will miss that part of the documentation :-(, because just starting the
kadmin server, the ipa installation will broke

> 
> > This immediately disabled the usage of kpasswd (unable to find KDC
> > error) or kinit with a expired password
> 
> Yes you reset the secret and did not update the keytab file that
> ipa_kpasswd uses.
> 
> > how can I use the network version of kadmin in order to change a user
> > password? which principal can i use with the right privileges:
> 
> At this stage you cannot use kadmind with Freeipa, you can use kpasswd,
> ipa-passwd, ldappasswd, and recently also ipa-getkeytab

kpasswd requires to know the current password (can not be used on a
samba password sync script)

ipa-passwd requires to know the current password or to use admin, and
when using admin the password is set as expired (can not be used on a
samba password sync either)

ldappasswd works... thanks (need some polishing to remove the
credentials from the command line)

/usr/lib64/mozldap/ldappasswd -D "cn=Directory Manager" -w [password]
-P /etc/dirsrv/slapd-[instance]/cert8.db -s [newpassword]
uid=test,cn=users,cn=accounts,dc=example,dc=com

I needed the script because the samba "ldap passwd sync" option is not
working on my setup. It says the password is changed, but it only
changes the samba password (no errors)

I added a little patch to freeipa in order to update sambaPwdLastSet on
the DS plugin code (ipa_pwd_extop.c), see attachment

> 
> I'd suggest you use freeipa-users at redhat.com if you have freeipa related
> questions.
> 
> Simo.
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-samba-pwd-last-set.patch
Type: text/x-patch
Size: 1051 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20081116/4349c06b/attachment.bin>

More information about the Freeipa-users mailing list