Marc Schlinger wrote:
hello all,

I'm doing bulk enrollment, with ipa-client-install -w mypassword .

But after this command when I launch #id test-user, I see in the kdc log that the client key for my host principal has expired, and the command fails.

This is because the host principal has the krbPasswordExpiration set to the time at wich the client join.

Am'I missing a step or is this behaviour not normal?

I see the krbPasswordExpiration attribute getting set as you describe, which is probably a side-effect from having a userPassword defined. I'll see if I can remove this.

Otherwise I can't duplicate this behavior. My host principal is technically expired but sssd works fine and I can kinit as the prinicpal and use it against the management framework:

# kinit -kt /etc/krb5.keytab host/
# getent passwd admin
# id admin
uid=1881057830(admin) gid=1881057830(admin) groups=1881057830(admin)
# ipa user-show admin
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Groups: admins
  Rolegroups: replicaadmin
  Taskgroups: managereplica, deletereplica


Freeipa-users mailing list

Reply via email to