Stijn De Weirdt wrote:
ity would be good anyway to have a script that checks all hosts that
have not enrolled yet how old the issued password is (even after
expiration). very useful to spot the state of ongoing deployments and
to spot problems. how can one obtain the creation time of the
password? fetch the timestamp from LDAP or is there a nice ipa API for
Since host object is a Kerberos principal, it has krbLastSuccessfulAuth
and krbLastPwdChange attributes.
ipa host-show host.name --all --raw
will give you their values.
# ipa host-show `hostname` --all --raw |grep krbLast
this does not seem to work on a host that has the random password set
(or set a few times), but no keytab was created or other form of
ipa host-show test.test --all --raw |grep -E 'krb|has_'
(this is freeipa 3.3.3 on rhel7 beta)
Right, because it doesn't have Kerberos credentials yet, just a
password. We apparently don't set any dates when setting only the host
password. Which also means password policy probably wouldn't apply
correctly even if you were able to set one. And I guess the question is,
If so we'd need to always add the krbPrincipalAux objectclass and set
this value in the password plugin.
Freeipa-users mailing list