On 12/5/18 8:39 PM, Ivars Strazdiņš via FreeIPA-users wrote:
On 5 Dec 2018, at 19:01, Rob Crittenden via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
Ivars Strazdiņš via FreeIPA-users wrote:
On 5 Dec 2018, at 14:47, Rob Crittenden <rcrit...@redhat.com> wrote:
Ivars Strazdiņš via FreeIPA-users wrote:
Hi,
just upgraded Centos to 7.6 and got FreeIPA upgraded to 4.6.4.
Now command "ipa user-show <USERNAME> —all” does not return
“krbpasswordexpiration” field anymore.
Is there another simple way to find out when user's password expires? We kind
of relied on this to warn them in advance.
We could possibly calculate expiration date from user’s “krblastpwdchange” field and
"ipa pwpolicy-find” command output, but maybe there’s a simpler way?
This field was not removed. Are you sure the user in question has a
password set at all?
You should be able to confirm whether the attribute is available using
ldapsearch.
rob
Hmm, that’s interesting. Of course the password has been set.
I have checked on two different upgraded IPA installations and none returns
‘krbpasswordexpiration'.
Am I missing anything in these commands below?
# ipa user-show USER —all | grep -i krb
krbextradata: xxxxxxxxxxxxxxxxxxx=
krblastadminunlock: 20170627104746Z
krblastfailedauth: 20181112112534Z
krblastpwdchange: 20170625164309Z
krblastsuccessfulauth: 20181205081700Z
krbloginfailedcount: 0
objectclass: ipaobject, person, top, ipasshuser, inetorgperson,
organizationalperson, krbticketpolicyaux, krbprincipalaux, inetuser,
posixaccount, ipaSshGroupOfPubKeys, mepOriginEntry
# ldapsearch -Y GSSAPI uid=USER|grep -i krb
SASL/GSSAPI authentication started
SASL username: ad...@do.main.com
SASL SSF: 256
SASL data security layer installed.
krbLastSuccessfulAuth: 20181205081700Z
krbLoginFailedCount: 0
krbLastFailedAuth: 20181112112534Z
memberOf: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=
krbLastAdminUnlock: 20170627104746Z
krbExtraData:: xxxxxxxxxxxxxx=
krbLastPwdChange: 20170625164309Z
krbCanonicalName: u...@do.main.com
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
krbPrincipalName: u...@do.main.com
What happens if you add krbpasswordexpiration in the attribute list to
the ldapsearch:
# ldapsearch -Y GSSAPI uid=USER krbpasswordexpiration
Well, nothing.
# ldapsearch -Y GSSAPI uid=USER krbpasswordexpiration
SASL/GSSAPI authentication started
SASL username: ad...@do.main.com
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=DO,dc=MAIN,dc=COM> (default) with scope subtree
# filter: uid=USER
# requesting: krbpasswordexpiration
#
# USER, users, compat, DO.MAIN.COM
dn: uid=USER,cn=users,cn=compat,dc=DO,dc=MAIN,dc=COM
# USER, users, accounts, DO.MAIN.COM
dn: uid=USER,cn=users,cn=accounts,dc=DO,dc=MAIN,dc=COM
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
Other attributes are presented in query output.
# ldapsearch -Y GSSAPI uid=USER krblastsuccessfulauth
SASL/GSSAPI authentication started
SASL username: ad...@do.main.com
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=DO,dc=MAIN,dc=COM> (default) with scope subtree
# filter: uid=USER
# requesting: krblastsuccessfulauth
#
# USER, users, compat, DO.MAIN.COM
dn: uid=USER,cn=users,cn=compat,dc=DO,dc=MAIN,dc=COM
# USER, users, accounts, DO.MAIN.COM
dn: uid=USER,cn=users,cn=accounts,dc=DO,dc=MAIN,dc=COM
krblastsuccessfulauth: 20181205081700Z
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
With kind regards,
Ivars
Hi,
With which credentials are you connecting? Can you try the same
ldapsearch but with "-x -D cn=directory manager" insted of -Y GSSAPI?
(if ACIs protect the attribute, directory manager will be able to see
them anyway).
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org