Stijn De Weirdt wrote:
hi alexander,

ity would be good anyway to have a script that checks all hosts that
have not enrolled yet how old the issued password is (even after
expiration). very useful to spot the state of ongoing deployments and
to spot problems. how can one obtain the creation time of the
password? fetch the timestamp from LDAP or is there a nice ipa API for
Since host object is a Kerberos principal, it has krbLastSuccessfulAuth
and krbLastPwdChange attributes.

ipa host-show --all --raw

will give you their values.

# ipa host-show `hostname` --all --raw |grep krbLast
   krbLastPwdChange: 20140213123016Z
   krbLastSuccessfulAuth: 20140325073031Z

this does not seem to work on a host that has the random password set
(or set a few times), but no keytab was created or other form of
ipa host-show test.test --all --raw |grep -E 'krb|has_'
  has_password: True
  has_keytab: False
  krbExtraData: AAI3mDRTcm9vdC9hZG1pbkB
  krbPrincipalName: host/test.test@TEST
  objectClass: krbprincipalaux
  objectClass: krbprincipal

(this is freeipa 3.3.3 on rhel7 beta)

Right, because it doesn't have Kerberos credentials yet, just a password. We apparently don't set any dates when setting only the host password. Which also means password policy probably wouldn't apply correctly even if you were able to set one. And I guess the question is, should we?

If so we'd need to always add the krbPrincipalAux objectclass and set this value in the password plugin.


Freeipa-users mailing list

Reply via email to