On Tue, 2012-06-19 at 09:15 -0700, Stephen Ingram wrote: > On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal <d...@redhat.com> wrote: > > On 06/18/2012 11:58 AM, Darran Lofthouse wrote: > >> Just experienced some weird behaviour on my Fedora 17 installation, > >> just wanted to check if this was expected. > >> > >> I have the default config that requires a user to change their > >> password the first time they run kinit. > >> > >> However I created a user and immediately used ipa-getkeytab as this > >> user will be a non-interactive process, despite the ipa-getkeytab > >> resetting the secret for the user the first attempt at authentication > >> failed as the user was still told to change their password. > >> > > > > > > I do not think we have anticipated this use. The ipa-getkeytab is > > designed for the host and services keytabs not for users. I suggest that > > use a service principal rather than a user principal to run those jobs. > > You can also file an RFE to allow keytabs for users if you think that > > services would not work for you. > > > >> My expectation would have been that any update to the secret should > >> meet the requirement for the user to change their password. > > Darren- > > I'm not sure if you went further with this, but if you do change the > password through other means, you then will be able to get a copy of > the keytab for the user with ipa-getkeytab. I tried it out because the > thought of not being able to get a keytab for a user was concerning. I > agree that the service keytabs make more sense for these instances (I > was also told this by Simo in another thread), but I keep being told > by the application people that I need to use a user principal, which, > thankfully works.
Ask them why, I am curious about the requirement. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users