cancel
Showing results for 
Search instead for 
Did you mean: 
TM
Flight Engineer Flight Engineer
Flight Engineer
  • 485 Views

failure to move a user from deleted and preserved state to stage state

Dear,

I am facing a weird error, when I try the followinf sequence.
1. create a user
2. log in and change password
3. delete and preserve the user
4. change the user state from deleted and preserved to stage state.

My investigagions seem to points towards the fact that the password is not anymore in the "change at next log in" state is causing the failure.

Here below is the extract of the commands I have launched, to reproduce the issue.
The commands are lancuned on a RHEL 9.2 with ipa-server-4.10.0-6.el9.x86_64.

[root@idm ~]# kinit admin
Password for admin@LAB.EXAMPLE.NET: 
[root@idm ~]# klist
Ticket cache: KCM:0
Default principal: admin@LAB.EXAMPLE.NET

Valid starting       Expires              Service principal
03/23/2024 12:12:48  03/24/2024 11:23:09  krbtgt/LAB.EXAMPLE.NET@LAB.EXAMPLE.NET
[root@idm ~]# echo -e "password\npassword" | ipa user-add --first=Foo --last=Bar --password foobar
-------------------
Added user "foobar"
-------------------
  User login: foobar
  First name: Foo
  Last name: Bar
  Full name: Foo Bar
  Display name: Foo Bar
  Initials: FB
  Home directory: /home/foobar
  GECOS: Foo Bar
  Login shell: /bin/sh
  Principal name: foobar@LAB.EXAMPLE.NET
  Principal alias: foobar@LAB.EXAMPLE.NET
  User password expiration: 20240323101254Z
  Email address: foobar@lab.example.net
  UID: 265800019
  GID: 265800019
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@idm ~]# ipa user-show foobar --all
  dn: uid=foobar,cn=users,cn=accounts,dc=lab,dc=example,dc=net
  User login: foobar
  First name: Foo
  Last name: Bar
  Full name: Foo Bar
  Display name: Foo Bar
  Initials: FB
  Home directory: /home/foobar
  GECOS: Foo Bar
  Login shell: /bin/sh
  Principal name: foobar@LAB.EXAMPLE.NET
  Principal alias: foobar@LAB.EXAMPLE.NET
  User password expiration: 20240323101254Z
  Email address: foobar@lab.example.net
  UID: 265800019
  GID: 265800019
  Account disabled: False
  Preserved user: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
  ipantsecurityidentifier: S-1-5-21-3790191592-3611727292-2366632347-1019
  ipauniqueid: ea662968-e8fd-11ee-9533-525400201340
  krbextradata: AAImq/5lcm9vdC9hZG1pbkBMQUIuRVhBTVBMRS5ORVQA
  krblastpwdchange: 20240323101254Z
  mepmanagedentry: cn=foobar,cn=groups,cn=accounts,dc=lab,dc=example,dc=net
  objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry,
               ipantuserattrs
[root@idm ~]# ipa user-show foobar --all | grep krbticketflags
[root@idm ~]# echo -e "password\nPW_redhat_2024\nPW_redhat_2024" | kinit foobar
Password for foobar@LAB.EXAMPLE.NET: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@idm ~]# klist
Ticket cache: KCM:0:95773
Default principal: foobar@LAB.EXAMPLE.NET

Valid starting       Expires              Service principal
03/23/2024 12:13:09  03/24/2024 11:15:30  krbtgt/LAB.EXAMPLE.NET@LAB.EXAMPLE.NET
[root@idm ~]# kdestroy -p foobar
[root@idm ~]# klist
Ticket cache: KCM:0
Default principal: admin@LAB.EXAMPLE.NET

Valid starting       Expires              Service principal
03/23/2024 12:12:48  03/24/2024 11:23:09  krbtgt/LAB.EXAMPLE.NET@LAB.EXAMPLE.NET
03/23/2024 12:12:54  03/24/2024 11:23:09  HTTP/idm.lab.example.net@LAB.EXAMPLE.NET
[root@idm ~]# ipa user-show foobar --all | grep krbticketflags
  krbticketflags: 128
[root@idm ~]# ipa user-del --preserve foobar
-----------------------
Preserved user "foobar"
-----------------------
[root@idm ~]# ipa user-show foobar --all
  dn: uid=foobar,cn=deleted users,cn=accounts,cn=provisioning,dc=lab,dc=example,dc=net
  User login: foobar
  First name: Foo
  Last name: Bar
  Full name: Foo Bar
  Display name: Foo Bar
  Initials: FB
  Home directory: /home/foobar
  GECOS: Foo Bar
  Login shell: /bin/sh
  Principal name: foobar@LAB.EXAMPLE.NET
  Principal alias: foobar@LAB.EXAMPLE.NET
  Email address: foobar@lab.example.net
  UID: 265800019
  GID: 265800019
  Account disabled: True
  Preserved user: True
  Password: False
  Kerberos keys available: False
  ipantsecurityidentifier: S-1-5-21-3790191592-3611727292-2366632347-1019
  ipauniqueid: ea662968-e8fd-11ee-9533-525400201340
  krbextradata: AAI1q/5la2FkbWluZEBMQUIuRVhBTVBMRS5ORVQA
  krbloginfailedcount: 0
  krbticketflags: 128
  objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, ipantuserattrs
[root@idm ~]# ipa user-show foobar --all | grep krbticketflags
  krbticketflags: 128
[root@idm ~]# ipa user-stage foobar
ipa: ERROR: attribute "krbticketflags" not allowed

The problem seems to be related to the user attribute krbticketflags.

Of course, I thank in advance all the help, suggestions and assistance.

Regards,

Tshimanga

 

PS: I am sorry if the post is long, but I tought I had to clearly show the steps to reproduce the issue.

0 Kudos
0 Replies
Join the discussion
You must log in to join this conversation.