On Fri, 2016-01-08 at 15:49 +0100, bahan w wrote:
> Thank you for your answer, I forgot to re-add Freeipa-users mailing list.
> So I cannot modify the userPassword only and when I generate a keytab with
> ipa-getkeytab it doesn't update the userPassword.
> Do you know if it is normal behaviour for ipa-getkeytab ? If not, was it
> solved in a newer version of IPA ?
this is a behavior of the older getkeytab control, that is in used in
RHEL6 (ipa 3.x versions). Due to the way this operation was built we do
not get a clear text password on the server so we can't generate
In ipa4.x a better control has been introduced and userPassword is also
updated (as well as password policies are enforced) when a user uses
On older server what you can do to keep using a password as well as a
keytab is to first set the password with kpasswd and the use
ipa-getkeytab with the same password to store a keytab. This should
leave things in sync IIRC.
> Best regards.
> On Fri, Jan 8, 2016 at 2:37 PM, Alexander Bokovoy <aboko...@redhat.com>
> > On Fri, 08 Jan 2016, bahan w wrote:
> >> Hello Alexander.
> >> Thank you for your answer.
> > Please don't ask in private, use freeipa-users@ mailing list.
> > Is there a way to modify the field userPassword only ?
> >> Do you know if ldappasswd modify something else ?
> > There is no way to modify userPassword attribute only. When you are
> > modifying userPassword attribute in FreeIPA, IPA's password plugin will
> > update all other password attributes, if there are any.
> > --
> > / Alexander Bokovoy
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Simo Sorce * Red Hat, Inc * New York
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project