Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Red Hat Community
- :
- RH362 - Red Hat Security: Identity Management and Active Directory Integration
- :
- Forum
- :
- failure to move a user from deleted and preserved ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
TM
Flight Engineer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-23-2024
08:08 PM
- 481 Views
failure to move a user from deleted and preserved state to stage state
Dear,
I am facing a weird error, when I try the followinf sequence.
1. create a user
2. log in and change password
3. delete and preserve the user
4. change the user state from deleted and preserved to stage state.
My investigagions seem to points towards the fact that the password is not anymore in the "change at next log in" state is causing the failure.
Here below is the extract of the commands I have launched, to reproduce the issue.
The commands are lancuned on a RHEL 9.2 with ipa-server-4.10.0-6.el9.x86_64.
[root@idm ~]# kinit admin
Password for admin@LAB.EXAMPLE.NET:
[root@idm ~]# klist
Ticket cache: KCM:0
Default principal: admin@LAB.EXAMPLE.NET
Valid starting Expires Service principal
03/23/2024 12:12:48 03/24/2024 11:23:09 krbtgt/LAB.EXAMPLE.NET@LAB.EXAMPLE.NET
[root@idm ~]# echo -e "password\npassword" | ipa user-add --first=Foo --last=Bar --password foobar
-------------------
Added user "foobar"
-------------------
User login: foobar
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/foobar
GECOS: Foo Bar
Login shell: /bin/sh
Principal name: foobar@LAB.EXAMPLE.NET
Principal alias: foobar@LAB.EXAMPLE.NET
User password expiration: 20240323101254Z
Email address: foobar@lab.example.net
UID: 265800019
GID: 265800019
Password: True
Member of groups: ipausers
Kerberos keys available: True
[root@idm ~]# ipa user-show foobar --all
dn: uid=foobar,cn=users,cn=accounts,dc=lab,dc=example,dc=net
User login: foobar
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/foobar
GECOS: Foo Bar
Login shell: /bin/sh
Principal name: foobar@LAB.EXAMPLE.NET
Principal alias: foobar@LAB.EXAMPLE.NET
User password expiration: 20240323101254Z
Email address: foobar@lab.example.net
UID: 265800019
GID: 265800019
Account disabled: False
Preserved user: False
Password: True
Member of groups: ipausers
Kerberos keys available: True
ipantsecurityidentifier: S-1-5-21-3790191592-3611727292-2366632347-1019
ipauniqueid: ea662968-e8fd-11ee-9533-525400201340
krbextradata: AAImq/5lcm9vdC9hZG1pbkBMQUIuRVhBTVBMRS5ORVQA
krblastpwdchange: 20240323101254Z
mepmanagedentry: cn=foobar,cn=groups,cn=accounts,dc=lab,dc=example,dc=net
objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry,
ipantuserattrs
[root@idm ~]# ipa user-show foobar --all | grep krbticketflags
[root@idm ~]# echo -e "password\nPW_redhat_2024\nPW_redhat_2024" | kinit foobar
Password for foobar@LAB.EXAMPLE.NET:
Password expired. You must change it now.
Enter new password:
Enter it again:
[root@idm ~]# klist
Ticket cache: KCM:0:95773
Default principal: foobar@LAB.EXAMPLE.NET
Valid starting Expires Service principal
03/23/2024 12:13:09 03/24/2024 11:15:30 krbtgt/LAB.EXAMPLE.NET@LAB.EXAMPLE.NET
[root@idm ~]# kdestroy -p foobar
[root@idm ~]# klist
Ticket cache: KCM:0
Default principal: admin@LAB.EXAMPLE.NET
Valid starting Expires Service principal
03/23/2024 12:12:48 03/24/2024 11:23:09 krbtgt/LAB.EXAMPLE.NET@LAB.EXAMPLE.NET
03/23/2024 12:12:54 03/24/2024 11:23:09 HTTP/idm.lab.example.net@LAB.EXAMPLE.NET
[root@idm ~]# ipa user-show foobar --all | grep krbticketflags
krbticketflags: 128
[root@idm ~]# ipa user-del --preserve foobar
-----------------------
Preserved user "foobar"
-----------------------
[root@idm ~]# ipa user-show foobar --all
dn: uid=foobar,cn=deleted users,cn=accounts,cn=provisioning,dc=lab,dc=example,dc=net
User login: foobar
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/foobar
GECOS: Foo Bar
Login shell: /bin/sh
Principal name: foobar@LAB.EXAMPLE.NET
Principal alias: foobar@LAB.EXAMPLE.NET
Email address: foobar@lab.example.net
UID: 265800019
GID: 265800019
Account disabled: True
Preserved user: True
Password: False
Kerberos keys available: False
ipantsecurityidentifier: S-1-5-21-3790191592-3611727292-2366632347-1019
ipauniqueid: ea662968-e8fd-11ee-9533-525400201340
krbextradata: AAI1q/5la2FkbWluZEBMQUIuRVhBTVBMRS5ORVQA
krbloginfailedcount: 0
krbticketflags: 128
objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, ipantuserattrs
[root@idm ~]# ipa user-show foobar --all | grep krbticketflags
krbticketflags: 128
[root@idm ~]# ipa user-stage foobar
ipa: ERROR: attribute "krbticketflags" not allowedThe problem seems to be related to the user attribute krbticketflags.
Of course, I thank in advance all the help, suggestions and assistance.
Regards,
Tshimanga
PS: I am sorry if the post is long, but I tought I had to clearly show the steps to reproduce the issue.
0 Replies
Join the discussion
You must log in to join this conversation.
Popular topics in this category
Red Hat
Learning Community
A collaborative learning environment, enabling open source skill development.
