[Freeipa-users] Re: krbpasswordexpiration field gone from "ipa user-show" ?

Thu, 06 Dec 2018 00:38:42 -0800 

On 12/5/18 8:39 PM, Ivars Strazdiņš via FreeIPA-users wrote:



On 5 Dec 2018, at 19:01, Rob Crittenden via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:

Ivars Strazdiņš via FreeIPA-users wrote:




On 5 Dec 2018, at 14:47, Rob Crittenden <rcrit...@redhat.com> wrote:

Ivars Strazdiņš via FreeIPA-users wrote:

Hi,
just upgraded Centos to 7.6 and got FreeIPA upgraded to 4.6.4.

Now command "ipa user-show <USERNAME> —all” does not return 
“krbpasswordexpiration” field anymore.
Is there another simple way to find out when user's password expires? We kind 
of relied on this to warn them in advance.

We could possibly calculate expiration date from user’s “krblastpwdchange” field and 
"ipa pwpolicy-find” command output, but maybe there’s a simpler way?


This field was not removed. Are you sure the user in question has a
password set at all?

You should be able to confirm whether the attribute is available using
ldapsearch.

rob


Hmm, that’s interesting. Of course the password has been set.
I have checked on two different upgraded IPA installations and none returns 
‘krbpasswordexpiration'.
Am I missing anything in these commands below?

# ipa user-show USER —all | grep -i krb
  krbextradata: xxxxxxxxxxxxxxxxxxx=
  krblastadminunlock: 20170627104746Z
  krblastfailedauth: 20181112112534Z
  krblastpwdchange: 20170625164309Z
  krblastsuccessfulauth: 20181205081700Z
  krbloginfailedcount: 0
  objectclass: ipaobject, person, top, ipasshuser, inetorgperson, 
organizationalperson, krbticketpolicyaux, krbprincipalaux, inetuser, 
posixaccount, ipaSshGroupOfPubKeys, mepOriginEntry

# ldapsearch -Y GSSAPI  uid=USER|grep -i krb
SASL/GSSAPI authentication started
SASL username: ad...@do.main.com
SASL SSF: 256
SASL data security layer installed.
krbLastSuccessfulAuth: 20181205081700Z
krbLoginFailedCount: 0
krbLastFailedAuth: 20181112112534Z
memberOf: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=
krbLastAdminUnlock: 20170627104746Z
krbExtraData:: xxxxxxxxxxxxxx=
krbLastPwdChange: 20170625164309Z
krbCanonicalName: u...@do.main.com
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
krbPrincipalName: u...@do.main.com


What happens if you add krbpasswordexpiration in the attribute list to
the ldapsearch:

# ldapsearch -Y GSSAPI uid=USER krbpasswordexpiration


Well, nothing.

# ldapsearch -Y GSSAPI uid=USER krbpasswordexpiration
SASL/GSSAPI authentication started
SASL username: ad...@do.main.com
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=DO,dc=MAIN,dc=COM> (default) with scope subtree
# filter: uid=USER
# requesting: krbpasswordexpiration
#

# USER, users, compat, DO.MAIN.COM
dn: uid=USER,cn=users,cn=compat,dc=DO,dc=MAIN,dc=COM

# USER, users, accounts, DO.MAIN.COM
dn: uid=USER,cn=users,cn=accounts,dc=DO,dc=MAIN,dc=COM

# search result
search: 4
result: 0 Success

# numResponses: 3
# numEntries: 2

Other attributes are presented in query output.

# ldapsearch -Y GSSAPI  uid=USER krblastsuccessfulauth
SASL/GSSAPI authentication started
SASL username: ad...@do.main.com
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=DO,dc=MAIN,dc=COM> (default) with scope subtree
# filter: uid=USER
# requesting: krblastsuccessfulauth
#

# USER, users, compat, DO.MAIN.COM
dn: uid=USER,cn=users,cn=compat,dc=DO,dc=MAIN,dc=COM

# USER, users, accounts, DO.MAIN.COM
dn: uid=USER,cn=users,cn=accounts,dc=DO,dc=MAIN,dc=COM
krblastsuccessfulauth: 20181205081700Z

# search result
search: 4
result: 0 Success

# numResponses: 3
# numEntries: 2

With kind regards,
Ivars




Hi,


With which credentials are you connecting? Can you try the same 
ldapsearch but with "-x -D cn=directory manager" insted of -Y GSSAPI? 
(if ACIs protect the attribute, directory manager will be able to see 
them anyway).


flo

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org






















					Reply via email to