Hello.

Earlier this year I tried to re-implement a "password expiration warning" email when using IPA 4.x. I hit a wall and ended up deciding to look at this later. Now is later :)


The plan is to use ldapsearch to check for krbLastPwdChange and compare it to krbPasswordExpiration, but these attributes seem to be hidden unless one is authenticating (through Kerberos?).

This is with RHEL 7 and IPA 4.2.0.

I have done:

# ipa service-add PWDREMIND/script.host.fqdn
# ipa-getkeytab -s script.host.fqdn -k /etc/gssproxy/pwdremind.keytab -p PWDREMIND/script.host.fqdn

...and I have a file /etc/gssproxy/pwdremind.keytab

I added a section to /etc/gssproxy/gssproxy.conf :

[service/PWDREMIND]
  mechs = krb5
  cred_store = client_keytab:/etc/gssproxy/pwdremind.keytab
  cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
  cred_usage = initiate
  euid = 0
  debug = true

In my "pwdcheck.sh" script I have the following:

#!/bin/bash
export GSS_USE_PROXY="yes"

ldapsearch -z 500 -Y GSSAPI -h ipa.host.fqdn -b cn=users,cn=accounts,dc=example,dc=net "(&(!(nsAccountLock=TRUE))(krbLastPwdChange<=$(date +%Y%m%d --date='-1 week')000000Z)(krbPasswordExpiration<=$(date +%Y%m%d --date='+1 week')000000Z))" uid |grep ^uid|cut -d: -f2 |while read uid
do
ldapsearch -z 500 -Y GSSAPI -h ipa.host.fqdn -b cn=users,cn=accounts,dc=example,dc=net "uid=${uid}" mail|grep ^mail|cut -d: -f2 | while read mail
    do
echo "password expires in less than a week: username=$uid mail=$mail"
    done
done

Checking the journalctl for gssproxy I get:

Dec 23 11:36:35 script.host.fqdn gssproxy[26977]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found Dec 23 11:36:35 script.host.fqdn gssproxy[26976]: gssproxy[26977]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found

Does anyone see where things are going wrong here or have some suggestions on what I should try?

Regards
Eivind Olsen

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to