hi alexander,

ity would be good anyway to have a script that checks all hosts that
have not enrolled yet how old the issued password is (even after
expiration). very useful to spot the state of ongoing deployments and
to spot problems. how can one obtain the creation time of the
password? fetch the timestamp from LDAP or is there a nice ipa API for
Since host object is a Kerberos principal, it has krbLastSuccessfulAuth
and krbLastPwdChange attributes.

ipa host-show host.name --all --raw

will give you their values.

# ipa host-show `hostname` --all --raw |grep krbLast
   krbLastPwdChange: 20140213123016Z
   krbLastSuccessfulAuth: 20140325073031Z

this does not seem to work on a host that has the random password set (or set a few times), but no keytab was created or other form of authentication:
ipa host-show test.test --all --raw |grep -E 'krb|has_'
  has_password: True
  has_keytab: False
  krbExtraData: AAI3mDRTcm9vdC9hZG1pbkB
  krbPrincipalName: host/test.test@TEST
  objectClass: krbprincipalaux
  objectClass: krbprincipal

(this is freeipa 3.3.3 on rhel7 beta)


Freeipa-users mailing list

Reply via email to