Sumit reports that krbExtraData with the blob containing the time of last change + UPN of the one who has changed then entry is missing from users created in IPA.
You can find them in some entries such as admin, kadmin and the host and LDAP service of the server, but everything created via IPA calls does not have them
A bit more context who to reproduce this. I tired to modify some Kerberos flags of an IPA user with kadmin.local on the IPA server and got:
kadmin.local: getprinc utest0@IPA.TEST get_principal: Database record is incomplete or corrupted while retrieving "utest0@IPA.TEST".
What is missing to make kadmin.local work is a LDAP attribute in the user object like:
krbExtraData: {HEX} 00 02 48 42 13 4d 72 6f 6f 74 2f 61 64 6d 69 6e 40 49 50 41 2e 54 45 53 54 00
where bytes - 1-2: 0x0002 are a tag for the type of data (Last changed time). - 3-6: are the unix time stamp, 0x4D134248 = 1293107784 = 'Thu Dec 23 13:36:24 CET 2010' - 7-end: zero-terminated string with the principal of the changer
Although it is not needed to make kadmin.local work the Kerberos LDAP entries typically also have a krbExtraData wit hthe key version number of the master key:
krbExtraData: {HEX} 00 08 01 00
where 0x0008 is the tag followed by the version number.
Gah, wrong ticket.
master: 5341a22
I reopened this ticket, because the issue is not fixed completely. Although the patch works as expected, whenever the password of the related object is changes that krbExtaData attributes are set, newly created the objects are not accessible by kadmin, because no password is set and the password plugin is never called. This means you have to call 'ipa passwd' or 'ipa-getkeytab' to set the krbExtraData attributes before you are able to use kadmin.
It would be nice if the attributes can also be set for freshly created objects, but if there is no time to add this, a paragraph in the docs or release notes is sufficient imo.
I would make this a doc bug for now.
Can we open a separate ticket to track the additional requirements and close this one ?
Why is this ticket in OTP feature bucket? Shouldn't it be moved elsewhere?
I came across the issue when working on an OTP PoC years ago but I agree it is not related to OTP.
Ok then, I will move it to NEEDS_TRIAGE, lets decide on Triage meeting.
FYI I deleted the wrong patch attached to avoid wasting time of other people looking through this bug.
Removing on_review flag as this ticket now targets another issue we do not have an active patch for.
master
master:
could be backported also to 4.2 branch
ipa-4-2:
Metadata Update from @rcritten: - Issue assigned to simo - Issue set to the milestone: FreeIPA 4.2.4
Login to comment on this ticket.