On 01/06/2015 09:55, Petr Vobornik wrote: > On 05/31/2015 12:21 PM, Bob Hinton wrote: >> Hello, >> >> I've written a Ruby script to add IPA users from CSV files. This works >> fine when specifying a username and password. However, using a keytab >> produces an error (see below). This seems to happen whatever I put in >> the keytab file. >> >> Any suggestions ? >> >> The VM in question has had its database restored using ipa-restore a >> number of times, so I don't know if this is a factor. >> >> Thanks >> >> Bob >> >> -sh-4.2$ ./ipa-import-users -h >> Usage ipa-import-users [options] file1.csv ... >> -u, --user USER Kerberos principal that can add >> users >> -p, --password PASSWORD Password for the above >> -k, --keytab KEYTAB Login with the specified keytab >> instead of user and pass >> -v, --verbose enable verbose mode >> -d, --debug enable debug mode >> -c, --check check input files without >> applying them >> -sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab example_users_file.csv >> Importing file example_users_file.csv... >> header line ["Username", " First Name", " Last Name", " Email Address", >> " Password"] >> Line 2 is ["auser", "Another", "User", "au...@test.com", "pass"] >> username auser already defined >> Line 3 is ["james23", "James", "Jones", "jamesjo...@somewhere.com", >> "secrets2"] >> echo "secrets2" | ipa user-add james23 --first="James" --last="Jones" >> --email="jamesjo...@somewhere.com" --password 2>&1 >> Problem with file example_users_file.csv ipa error on james23 - ipa: >> ERROR: Insufficient access: Could not read UPG Definition originfilter. >> Check your permissions. >> -sh-4.2$ klist -kt ipa004.keytab >> Keytab name: FILE:ipa004.keytab >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 2 18/05/15 14:23:24 host/ipa004.jackland...@test.jackland.uk >> 2 18/05/15 14:23:24 host/ipa004.jackland...@test.jackland.uk >> 2 18/05/15 14:23:24 host/ipa004.jackland...@test.jackland.uk >> 2 18/05/15 14:23:24 host/ipa004.jackland...@test.jackland.uk >> 4 31/05/15 10:55:37 userad...@test.jackland.uk >> 4 31/05/15 10:55:37 userad...@test.jackland.uk >> 4 31/05/15 10:55:37 userad...@test.jackland.uk >> 4 31/05/15 10:55:37 userad...@test.jackland.uk > > > How does the script obtain ticket granting ticket if keytab is used? > Does it run just: > > kinit -k > > If so then it will get TGT for principal: > host/ipa004.jackland...@test.jackland.uk and not for > userad...@test.jackland.uk . By default hosts don't have permissions > to add users. > >
It uses kinit -kt. I got a "no suitable keys" error when the keytab only included useradder so I included the host to get around this (see below). -sh-4.2$ klist -kt useradder.keytab Keytab name: FILE:useradder.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 3 31/05/15 10:37:07 userad...@test.jackland.uk 3 31/05/15 10:37:07 userad...@test.jackland.uk 3 31/05/15 10:37:07 userad...@test.jackland.uk 3 31/05/15 10:37:07 userad...@test.jackland.uk -sh-4.2$ kinit -kt useradder.keytab kinit: Keytab contains no suitable keys for host/ipa004.test.jackland...@test.jackland.uk while getting initial credentials -sh-4.2$ >> -sh-4.2$ >> >> Installed Packages >> Name : ipa-server >> Arch : x86_64 >> Version : 4.1.0 >> Release : 18.el7_1.3 >> Size : 4.2 M >> Repo : installed >>> From repo : rhel-7-server-rpms >> Summary : The IPA authentication server >> URL : http://www.freeipa.org/ >> Licence : GPLv3+ >> Description : IPA is an integrated solution to provide centrally managed >> Identity (machine, >> : user, virtual machines, groups, authentication >> credentials), Policy >> : (configuration settings, access control information) and >> Audit (events, >> : logs, analysis thereof). If you are installing an IPA >> server you need >> : to install this package (in other words, most people >> should NOT install >> : this package). >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
