When using ldappasswd to set user password, the IPA password plugin is triggered and unconditionally sets kerberosExtraData attribute on the target DN regardless of whether it is a proper Kerberos principal or just a simple user entry (see [1]).
This manifests when setting userPassword for the 'sudo' sysaccount which has just 'simpleSecurityObject' and 'account' objectclasses. The error log then contains the following (after ramping up the nsslapd-errorlog-level):
[27/Sep/2016:12:00:05.611462303 +0000] => entry_apply_mods_wsi [27/Sep/2016:12:00:05.616341428 +0000] krbExtraData: [27/Sep/2016:12:00:05.621399114 +0000] replace: krbExtraData [27/Sep/2016:12:00:05.626296695 +0000] - [27/Sep/2016:12:00:05.630766614 +0000] modifiersname: cn=ipa_pwd_extop,cn=plugins,cn=config [27/Sep/2016:12:00:05.635958790 +0000] replace: modifiersname [27/Sep/2016:12:00:05.647124780 +0000] - [27/Sep/2016:12:00:05.652126329 +0000] modifytimestamp: 20160927120003Z [27/Sep/2016:12:00:05.662898852 +0000] replace: modifytimestamp [27/Sep/2016:12:00:05.674080487 +0000] - [27/Sep/2016:12:00:05.678959024 +0000] entryusn: 1589 [27/Sep/2016:12:00:05.683814090 +0000] replace: entryusn [27/Sep/2016:12:00:05.695163460 +0000] - [27/Sep/2016:12:00:05.705747844 +0000] <= entry_apply_mods_wsi 0 [27/Sep/2016:12:00:05.710499983 +0000] Entry "uid=sudo,cn=sysaccounts,cn=etc,dc=ipa,dc=test" -- attribute "krbExtraData" not allowed [27/Sep/2016:12:00:05.715094809 +0000] Calling plugin 'Retrocl postoperation plugin' #0 type 561 [27/Sep/2016:12:00:05.725715544 +0000] not applying change if op failed 65
The operation itself is completed and password is changed successfuly, but we shouldn't let the error logs to be polluted by false negatives.
[1] https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c#n598
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=712109 (Red Hat Enterprise Linux 7)
Note that ipapwd_SetPassword() also doesn't check is_krb when adding modifications to the list of changes to LDAP entry. If is_krb is not set, it ideally should skip adding Kerberos attributes.
ideally this should be implemented as a part of bigger effort
Metadata Update from @mbabinsk: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Close as the BZ was closed.
Metadata Update from @pcech: - Issue close_status updated to: wontfix - Issue set to the milestone: None (was: FreeIPA 4.5 backlog) - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Issue status updated to: Open (was: Closed)
This is actually fixed with following commits:
master: 132a0f8 ipa-4-8: 8b7bb96 ipa-4-6: dc83394
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
And also changes of ticket https://pagure.io/freeipa/issue/7181 apply here
Login to comment on this ticket.