Hi,
On ma, 16 heinä 2018, Ryan Slominski via FreeIPA-users wrote:
Hi IPA Users,
What is the status of the IPA integration with Kerberos utilities such
as kadmin (kadmin.local) and kdb5_util? Can they be used or are they
not supported. If not supported maybe they should report an error or
warning.
It seems setting a user's password expiration with kadmin works in the
short term, but is later overwritten perhaps by multi-master
replication? I was testing password expiration and I set a value using
kadmin modprinc yesterday and noticed today that the value has reverted
back to what it was earlier. As an aside using ipa user-mod
--setattr=krbPasswordExpiration=20180715011529Z is clumsy and admin
user doesn't even have the privilege to execute it successfully. LDAP
modify with directory manager has the privilege, but LDIF is even more
clumsy. With kadmin.local modprinc I can use -pwexpire 1day.
In general, it is not
supported. For long time kadmin lacked pluggable
interface to allow modules to override how ACLs are managed. The
interface was only added last year and we haven't yet implemented a
plugin for that
(
http://web.mit.edu/kerberos/krb5-latest/doc/plugindev/kadm5_auth.html)
kadmin.local does all operations under root as cn=Directory Manager. We
have few checks in place to disallow direct operations that can be
overridden (ipa-server-install does it) but otherwise you need to be
extremely careful.
krbPasswordExpiration is definitely not excluded from replication
agreements, so its change should replicate to consumers.
ACI "Admins can write passwords" allows members of admins group to
change krbPasswordExpiration (set on the $SUFFIX dn):
aci:(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword ||
sambaNTPassword || passwordHistory || ipaNTHash || krbPasswordExpiration")(version
3.0; acl "Admins can write passwords"; allow (add,delete,write)
groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
Also, importing an existing database of principals with password
hashes
would make migration from a standalone KDC much less painful. Any
chance that feature is added at some point? Looks like one challenge
might be what appears to be the 389 directory server storing user
passwords in two separate fields (userPassword and krbPrincipalKey),
which are presumably hashed differently.
Yes, they hashed differently but that's
not the only reason why is it
hard to add. You can dig a deeper rabit's hole there, for sure. Any help
with creating a migration tool is welcome. Right now this is not on our
radar for various reasons -- if you have serious considerations on
contributing development to that, you are welcome to freeipa-devel@ to
discuss things in detail.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland