Marc Schlinger wrote:
I'm doing bulk enrollment, with ipa-client-install -w mypassword .
But after this command when I launch #id test-user, I see in the kdc log
that the client key for my host principal has expired, and the command
This is because the host principal has the krbPasswordExpiration set to
the time at wich the client join.
Am'I missing a step or is this behaviour not normal?
I see the krbPasswordExpiration attribute getting set as you describe,
which is probably a side-effect from having a userPassword defined. I'll
see if I can remove this.
Otherwise I can't duplicate this behavior. My host principal is
technically expired but sssd works fine and I can kinit as the prinicpal
and use it against the management framework:
# kinit -kt /etc/krb5.keytab host/panther.example.com
# getent passwd admin
# id admin
uid=1881057830(admin) gid=1881057830(admin) groups=1881057830(admin)
# ipa user-show admin
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Taskgroups: managereplica, deletereplica
Freeipa-users mailing list