[30452] in Kerberos
Re: kadmin help when using LDAP db (MIT kerberos)
daemon@ATHENA.MIT.EDU (Simo Sorce)
Fri Nov 14 12:13:57 2008
From: Simo Sorce <ssorce@redhat.com>
To: Robert Marcano <robert@marcanoonline.com>
In-Reply-To: <1226681790.3491.15.camel@localhost.localdomain>
Date: Fri, 14 Nov 2008 12:12:47 -0500
Message-Id: <1226682767.32715.102.camel@localhost.localdomain>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 2008-11-14 at 12:26 -0430, Robert Marcano wrote:
> I am relatively new to kerberos, and as part of the installation of
> freeipa, I am writing a script to be used by Samba for password changes.
> I read about kadmin.local but the man pages says
>
> "If the database is LDAP, kadmin.local need not be run on the KDC."
>
> so I am unable to use it instead of kadmin that requires a password that
> I do not understand very well how to supply, The fist time I started the
> kadmin service on a CentOS server, it says it was adding a few
> principals with these two commands
>
>
> /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin${KRB5REALM:+@$KRB5REALM} kadmin/changepw${KRB5REALM:+@$KRB5REALM}"
> /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/`hostname`${KRB5REALM:+@$KRB5REALM}" 2> /dev/null && success
If you read freeipa documentation you will see that using kadmin or
kadmin.local is discouraged if you do not know exactly what you are
doing.
> This immediately disabled the usage of kpasswd (unable to find KDC
> error) or kinit with a expired password
Yes you reset the secret and did not update the keytab file that
ipa_kpasswd uses.
> how can I use the network version of kadmin in order to change a user
> password? which principal can i use with the right privileges:
At this stage you cannot use kadmind with Freeipa, you can use kpasswd,
ipa-passwd, ldappasswd, and recently also ipa-getkeytab
I'd suggest you use freeipa-users@redhat.com if you have freeipa related
questions.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
