In IPA KrbExtraData is missing for kerberos user entry and unable to use kadmin to display informations

Solution Verified - Updated -

Issue

  • In IPA KrbExtraData is missing for kerberos user entry and unable to use kadmin to display informations. Entries are correctly displayed with the ipa user-show command but some of them cannot be displayed by kadmin because of a missing value in the krbExtraData field (for IPA users without password set).

  • On IPA server, kadmin.local -q "getprinc ipa_user_name" command fails with:

[root@rhel7-ipa-1 ~]# for account in `kadmin.local -q getprincs|egrep -v "Authenticating"`; do kadmin.local -q "getprinc $account" |grep "######"; done
get_principal: Database record is incomplete or corrupted while retrieving "testuser2@EXAMPLE.COM".   

[root@rhel7-ipa-1 ~]# kadmin.local -q "getprinc testuser2"
Authenticating as principal admin/admin@EXAMPLE.COM with password.
get_principal: Database record is incomplete or corrupted while retrieving "testuser2@EXAMPLE.COM".

Environment

  • Red Hat Enterprise Linux 7.x (IPA server)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.