[Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd

[bahan w]

Hello !

I send you this mail, because I have a problem with a user who needs keytab
and password.
I already sent a mail some time ago, and the answer was to use the option
-P of the ipa-getkeytab command.

I'm still running IPA 3.0.0-42 with RHEL 6.6 for specific reasons and I
cannot move to earlier versions unfortunately.

Here is what do :

I create the user test001
###
ipa user-add --first=test --last=test test001
###

Initiate an OTP for user test001
###
ipa passwd test001 pwd001
###

Then I set a permanent password
###
kinit test001
Password for test001 at MYREALM:
Password expired.  You must change it now.
Enter new password: pwd002pwd002
Enter it again: pwd002pwd002
###

Then I perform an ldapsearch :
###
ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h <ipa fqdn
server> -p 389 -W uid=test001
Enter LDAP Password:
###

It worked.

Then I generated a keytab for this user with a password :
###
ipa-getkeytab -s <fqdn ipa server> -p test001 -k
/etc/security/keytabs/test001.headless.keytab -P
New Principal Password: pwd003pwd003
Verify Principal Password: pwd003pwd003
Keytab successfully retrieved and stored in:
/etc/security/keytabs/test001.headless.keytab
###

Then I perform a new ldapsearch
###
ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h <ipa fqdn
server> -p 389 -W uid=test001
Enter LDAP Password:
###

When I enter the password pwd003pwd003, it does not work with the following
result :
###
Enter LDAP Password:pwd003pwd003
ldap_bind: Invalid credentials (49)
###

When i use the old password pwd002pwd002, it works.

So my question :
When I create the ipa-getkeytab, how can I also set the password in the
ldap ?
May I use ldappasswd ?

Best regards.

Bahan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160108/072ad5d5/attachment.htm>