Rob Crittenden wrote:
Marc Schlinger wrote:
hello all,

I'm doing bulk enrollment, with ipa-client-install -w mypassword .

But after this command when I launch #id test-user, I see in the kdc log that the client key for my host principal has expired, and the command fails.

This is because the host principal has the krbPasswordExpiration set to the time at wich the client join.

Am'I missing a step or is this behaviour not normal?

I see the krbPasswordExpiration attribute getting set as you describe, which is probably a side-effect from having a userPassword defined. I'll see if I can remove this.

Otherwise I can't duplicate this behavior. My host principal is technically expired but sssd works fine and I can kinit as the prinicpal and use it against the management framework:

# kinit -kt /etc/krb5.keytab host/
# getent passwd admin
# id admin
uid=1881057830(admin) gid=1881057830(admin) groups=1881057830(admin)
# ipa user-show admin
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Groups: admins
  Rolegroups: replicaadmin
  Taskgroups: managereplica, deletereplica


Ok, I figured out why the expiration date was getting set. We have a pre-bind function that we use for migrating users imported from an LDAP server. The idea is that the first time you bind with your LDAP password it will create kerberos credentials for you if they don't exist.

We don't want to execute this when a host is enrolling with a one-time password. I added some code so it skips this in the case of a host principal. See ipa-devel for the patch.


Freeipa-users mailing list

Reply via email to