[Freeipa-users] Re: kadmin help when using LDAP db (MIT kerberos)

Sun Nov 16 21:58:36 UTC 2008

On Sun, 2008-11-16 at 14:41 -0430, Robert Marcano wrote:
> On Fri, 2008-11-14 at 12:12 -0500, Simo Sorce wrote: 
> > On Fri, 2008-11-14 at 12:26 -0430, Robert Marcano wrote:
> > > I am relatively new to kerberos, and as part of the installation of
> > > freeipa, I am writing a script to be used by Samba for password changes.
> > > I read about kadmin.local but the man pages says
> > > 
> > > "If the database is LDAP, kadmin.local need not be run on the KDC."
> > > 
> > > so I am unable to use it instead of kadmin that requires a password that
> > > I do not understand very well how to supply, The fist time I started the
> > > kadmin service on a CentOS server, it says it was adding a few
> > > principals with these two commands
> > > 
> > > 
> > > /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin${KRB5REALM:+@$KRB5REALM} kadmin/changepw${KRB5REALM:+@$KRB5REALM}"
> > > /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/`hostname`${KRB5REALM:+@$KRB5REALM}" 2> /dev/null && success
> > 
> > If you read freeipa documentation you will see that using kadmin or
> > kadmin.local is discouraged if you do not know exactly what you are
> > doing.
> 
> Umm. maybe the freeipa installer script must call "chkconfig --del
> kadmin" and move it out of init.d, maybe I will not be the only one that
> will miss that part of the documentation :-(, because just starting the
> kadmin server, the ipa installation will broke
> 
> > 
> > > This immediately disabled the usage of kpasswd (unable to find KDC
> > > error) or kinit with a expired password
> > 
> > Yes you reset the secret and did not update the keytab file that
> > ipa_kpasswd uses.
> > 
> > > how can I use the network version of kadmin in order to change a user
> > > password? which principal can i use with the right privileges:
> > 
> > At this stage you cannot use kadmind with Freeipa, you can use kpasswd,
> > ipa-passwd, ldappasswd, and recently also ipa-getkeytab
> 
> kpasswd requires to know the current password (can not be used on a
> samba password sync script)

Yes you have both the old and the new password, but you do not want to
use kpasswd for samba sync.

> ipa-passwd requires to know the current password or to use admin, and
> when using admin the password is set as expired (can not be used on a
> samba password sync either)

not the right tool either

> ldappasswd works... thanks (need some polishing to remove the
> credentials from the command line)
> 
> /usr/lib64/mozldap/ldappasswd -D "cn=Directory Manager" -w [password]
> -P /etc/dirsrv/slapd-[instance]/cert8.db -s [newpassword]
> uid=test,cn=users,cn=accounts,dc=example,dc=com

not ideal

> I needed the script because the samba "ldap passwd sync" option is not
> working on my setup. It says the password is changed, but it only
> changes the samba password (no errors)

You must use 'ldap passwd sync = only', and use freeipa 1.2 which now
intercepts also ldapmodify operations. If this does not work it is
something I'd like to investigate, it would mean either a bug in samba
or freeipa.

to be able to perform a password change in freeipa you may want to use
Directory Manager or samba or use a different admin user and add it to
the list of users that are permitted to change the password without
obeying password policies. The attribute is passsyncManagersDNs in the
ipa-pwd-extop plugin configuration entry (under cn=config) and contains
the DN of users permitted to skip any password policy check including
immediate expiration of passwords.

> I added a little patch to freeipa in order to update sambaPwdLastSet on
> the DS plugin code (ipa_pwd_extop.c), see attachment

Interesting, although we should probbaly better patch samba to use
freeipa's own fields, keeping mulitple copies of the same data is always
a mess as they easily get out of sync.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York