this does not seem to work on a host that has the random password set
(or set a few times), but no keytab was created or other form of
ity would be good anyway to have a script that checks all hosts that
have not enrolled yet how old the issued password is (even after
expiration). very useful to spot the state of ongoing deployments and
to spot problems. how can one obtain the creation time of the
password? fetch the timestamp from LDAP or is there a nice ipa API for
Since host object is a Kerberos principal, it has krbLastSuccessfulAuth
and krbLastPwdChange attributes.
ipa host-show host.name --all --raw
will give you their values.
# ipa host-show `hostname` --all --raw |grep krbLast
ipa host-show test.test --all --raw |grep -E 'krb|has_'
(this is freeipa 3.3.3 on rhel7 beta)
Freeipa-users mailing list