On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal <d...@redhat.com> wrote:
> On 06/18/2012 11:58 AM, Darran Lofthouse wrote:
>> Just experienced some weird behaviour on my Fedora 17 installation,
>> just wanted to check if this was expected.
>> I have the default config that requires a user to change their
>> password the first time they run kinit.
>> However I created a user and immediately used ipa-getkeytab as this
>> user will be a non-interactive process, despite the ipa-getkeytab
>> resetting the secret for the user the first attempt at authentication
>> failed as the user was still told to change their password.
> I do not think we have anticipated this use. The ipa-getkeytab is
> designed for the host and services keytabs not for users. I suggest that
> use a service principal rather than a user principal to run those jobs.
> You can also file an RFE to allow keytabs for users if you think that
> services would not work for you.
>> My expectation would have been that any update to the secret should
>> meet the requirement for the user to change their password.
I'm not sure if you went further with this, but if you do change the
password through other means, you then will be able to get a copy of
the keytab for the user with ipa-getkeytab. I tried it out because the
thought of not being able to get a keytab for a user was concerning. I
agree that the service keytabs make more sense for these instances (I
was also told this by Simo in another thread), but I keep being told
by the application people that I need to use a user principal, which,
Freeipa-users mailing list