Re: [Freeipa-users] How to change krbPasswordExpiration for service accounts

Tue, 02 Jul 2013 06:34:56 -0700 

Vitaly wrote:

if you want that the password never expires for some users you should
created a password policy where the password never expires and assign
the policy to the users.

Thank you, Sumit.
As far as I understand, I need to tweak krbPasswordExpiration anyway
if password was changed before password policy was applied.


From another side, I have a weird issue with password policy:


#ipa user-show  serviceinvoker  --all
....
   Member of groups: ...., services

#ipa pwpolicy-show services
   Group: services

But
# ipa pwpolicy-show --user serviceinvoker
   Group: global_policy
Curious. We'd need to see more details of the password policy, priority for example. 

Does this show the right policy?

ipa user-show --all serviceinvoker |grep krbpwdpolicyreference



On Tue, Jul 2, 2013 at 4:07 PM, Sumit Bose <sb...@redhat.com> wrote:

On Tue, Jul 02, 2013 at 03:41:54PM +0300, Vitaly wrote:

I already read
https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread,
but I am not sure I understand suggested solution.
So my question - how I can change krbPasswordExpiration for certain account?

ipa user-mod service  --setattr=krbPasswordExpiration=20381231011529Z


if you want that the password never expires for some users you should
created a password policy where the password never expires and assign
the policy to the users.

See 'ipa help pwpolicy' for more details.

HTH

bye,
Sumit


returns

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'krbPasswordExpiration' attribute of entry
'uid=service,cn=users,cn=accounts,dc=example,dc=com'.

TIA,
Vitaly



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to