Just experienced some weird behaviour on my Fedora 17 installation, just
wanted to check if this was expected.
I have the default config that requires a user to change their password
the first time they run kinit.
However I created a user and immediately used ipa-getkeytab as this user
will be a non-interactive process, despite the ipa-getkeytab resetting
the secret for the user the first attempt at authentication failed as
the user was still told to change their password.
My expectation would have been that any update to the secret should meet
the requirement for the user to change their password.
Freeipa-users mailing list