Hello.
Earlier this year I tried to re-implement a "password expiration
warning" email when using IPA 4.x. I hit a wall and ended up deciding to
look at this later. Now is later :)
The plan is to use ldapsearch to check for krbLastPwdChange and compare
it to krbPasswordExpiration, but these attributes seem to be hidden
unless one is authenticating (through Kerberos?).
This is with RHEL 7 and IPA 4.2.0.
I have done:
# ipa service-add PWDREMIND/script.host.fqdn
# ipa-getkeytab -s script.host.fqdn -k /etc/gssproxy/pwdremind.keytab -p
PWDREMIND/script.host.fqdn
...and I have a file /etc/gssproxy/pwdremind.keytab
I added a section to /etc/gssproxy/gssproxy.conf :
[service/PWDREMIND]
mechs = krb5
cred_store = client_keytab:/etc/gssproxy/pwdremind.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
cred_usage = initiate
euid = 0
debug = true
In my "pwdcheck.sh" script I have the following:
#!/bin/bash
export GSS_USE_PROXY="yes"
ldapsearch -z 500 -Y GSSAPI -h ipa.host.fqdn -b
cn=users,cn=accounts,dc=example,dc=net
"(&(!(nsAccountLock=TRUE))(krbLastPwdChange<=$(date +%Y%m%d --date='-1
week')000000Z)(krbPasswordExpiration<=$(date +%Y%m%d --date='+1
week')000000Z))" uid |grep ^uid|cut -d: -f2 |while read uid
do
ldapsearch -z 500 -Y GSSAPI -h ipa.host.fqdn -b
cn=users,cn=accounts,dc=example,dc=net "uid=${uid}" mail|grep ^mail|cut
-d: -f2 | while read mail
do
echo "password expires in less than a week: username=$uid
mail=$mail"
done
done
Checking the journalctl for gssproxy I get:
Dec 23 11:36:35 script.host.fqdn gssproxy[26977]: (OID: { 1 2 840 113554
1 2 2 }) Unspecified GSS failure. Minor code may provide more
information, No credentials cache found
Dec 23 11:36:35 script.host.fqdn gssproxy[26976]: gssproxy[26977]: (OID:
{ 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may
provide more information, No credentials cache found
Does anyone see where things are going wrong here or have some
suggestions on what I should try?
Regards
Eivind Olsen
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project