In IPA KrbExtraData is missing for kerberos user entry and unable to use kadmin to display informations

Solution Verified - Updated -

Issue

  • In IPA KrbExtraData is missing for kerberos user entry and unable to use kadmin to display informations. Entries are correctly displayed with the ipa user-show command but some of them cannot be displayed by kadmin because of a missing value in the krbExtraData field (for IPA users without password set).

  • On IPA server, kadmin.local -q "getprinc ipa_user_name" command fails with:

[root@rhel7-ipa-1 ~]# for account in `kadmin.local -q getprincs|egrep -v "Authenticating"`; do kadmin.local -q "getprinc $account" |grep "######"; done
get_principal: Database record is incomplete or corrupted while retrieving "testuser2@EXAMPLE.COM".   

[root@rhel7-ipa-1 ~]# kadmin.local -q "getprinc testuser2"
Authenticating as principal admin/admin@EXAMPLE.COM with password.
get_principal: Database record is incomplete or corrupted while retrieving "testuser2@EXAMPLE.COM".

Environment

  • Red Hat Enterprise Linux 7.x (IPA server)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content