On 06/18/2012 11:58 AM, Darran Lofthouse wrote:
> Just experienced some weird behaviour on my Fedora 17 installation,
> just wanted to check if this was expected.
> I have the default config that requires a user to change their
> password the first time they run kinit.
> However I created a user and immediately used ipa-getkeytab as this
> user will be a non-interactive process, despite the ipa-getkeytab
> resetting the secret for the user the first attempt at authentication
> failed as the user was still told to change their password.
I do not think we have anticipated this use. The ipa-getkeytab is
designed for the host and services keytabs not for users. I suggest that
use a service principal rather than a user principal to run those jobs.
You can also file an RFE to allow keytabs for users if you think that
services would not work for you.
> My expectation would have been that any update to the secret should
> meet the requirement for the user to change their password.
> Darran Lofthouse.
> Freeipa-users mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list