On Fri, 2008-11-14 at 12:26 -0430, Robert Marcano wrote: > I am relatively new to kerberos, and as part of the installation of > freeipa, I am writing a script to be used by Samba for password changes. > I read about kadmin.local but the man pages says > > "If the database is LDAP, kadmin.local need not be run on the KDC." > > so I am unable to use it instead of kadmin that requires a password that > I do not understand very well how to supply, The fist time I started the > kadmin service on a CentOS server, it says it was adding a few > principals with these two commands > > > /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k > /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin${KRB5REALM:[EMAIL PROTECTED] > kadmin/changepw${KRB5REALM:[EMAIL PROTECTED]" > /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k > /var/kerberos/krb5kdc/kadm5.keytab kadmin/`hostname`${KRB5REALM:[EMAIL > PROTECTED]" 2> /dev/null && success
If you read freeipa documentation you will see that using kadmin or kadmin.local is discouraged if you do not know exactly what you are doing. > This immediately disabled the usage of kpasswd (unable to find KDC > error) or kinit with a expired password Yes you reset the secret and did not update the keytab file that ipa_kpasswd uses. > how can I use the network version of kadmin in order to change a user > password? which principal can i use with the right privileges: At this stage you cannot use kadmind with Freeipa, you can use kpasswd, ipa-passwd, ldappasswd, and recently also ipa-getkeytab I'd suggest you use [EMAIL PROTECTED] if you have freeipa related questions. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos