Rob Crittenden wrote:
Marc Schlinger wrote:
I'm doing bulk enrollment, with ipa-client-install -w mypassword .
But after this command when I launch #id test-user, I see in the kdc
log that the client key for my host principal has expired, and the
This is because the host principal has the krbPasswordExpiration set
to the time at wich the client join.
Am'I missing a step or is this behaviour not normal?
I see the krbPasswordExpiration attribute getting set as you describe,
which is probably a side-effect from having a userPassword defined. I'll
see if I can remove this.
Otherwise I can't duplicate this behavior. My host principal is
technically expired but sssd works fine and I can kinit as the prinicpal
and use it against the management framework:
# kinit -kt /etc/krb5.keytab host/panther.example.com
# getent passwd admin
# id admin
uid=1881057830(admin) gid=1881057830(admin) groups=1881057830(admin)
# ipa user-show admin
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Taskgroups: managereplica, deletereplica
Ok, I figured out why the expiration date was getting set. We have a
pre-bind function that we use for migrating users imported from an LDAP
server. The idea is that the first time you bind with your LDAP password
it will create kerberos credentials for you if they don't exist.
We don't want to execute this when a host is enrolling with a one-time
password. I added some code so it skips this in the case of a host
principal. See ipa-devel for the patch.
Freeipa-users mailing list