On 06/18/2012 11:58 AM, Darran Lofthouse wrote:
> Just experienced some weird behaviour on my Fedora 17 installation,
> just wanted to check if this was expected.
>
> I have the default config that requires a user to change their
> password the first time they run kinit.
>
> However I created a user and immediately used ipa-getkeytab as this
> user will be a non-interactive process, despite the ipa-getkeytab
> resetting the secret for the user the first attempt at authentication
> failed as the user was still told to change their password.
>


I do not think we have anticipated this use. The ipa-getkeytab is
designed for the host and services keytabs not for users. I suggest that
use a service principal rather than a user principal to run those jobs.
You can also file an RFE to allow keytabs for users if you think that
services would not work for you.

> My expectation would have been that any update to the secret should
> meet the requirement for the user to change their password.
>
> Regards,
> Darran Lofthouse.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to