On 25/10/2016 10:50, Prasun Gera wrote:
When is principal expiration triggered ? I haven't set it explicitly for any user, and ipa user-show doesn't show that attribute either. I'm not very familiar with kerberos.
It doesn't show it unless it has been set. You can set it like this:

# ipa help user-mod
                        Kerberos principal expiration

(This is from IPA under CentOS 7. Older versions might not have this feature at all).

And as you and David said earlier, if the principal expires, kinit shouldn't work either, right ?

Yes I agree. I have just tried setting krbPasswordExpiration to a very old time, using ldapmodify.

# ldapmodify -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: uid=bcandler,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
changetype: modify
replace: krbPasswordExpiration
krbPasswordExpiration: 20010101000000Z


But this works for me:

$ sudo -s

[sudo] password for bcandler:
Password expired. Change your password now.
sudo: Account or password is expired, reset your password and try again
Current Password:
New password:
Retype new password:


But actually, I didn't try the web UI with an expired password yet. I'll try that later.



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to