so the trick is to first login with the random password, it will prompt
to renew it, and with a new password set, you can retrieve a usable keytab.
stijn
>
> i'm trying to create a keytab for a user via FreeIPA
>
> user was added via ipa user-add --random; keytab retrieved using
> ipa-getkeytab (using admin credentials)
>
> klist -k list shows a number of entries for same KVNO
>
> however, i cannot get any credentials using kinit -kt
>
> it always returns:
> "kinit: Password has expired while getting initial credentials"
>
> ipa user-show gives
>> Account disabled: False
>> Password: True
> ...
>> Kerberos keys available: True
>
> what am i doing wrong? (i never used the original random password to
> try to get initial credentials for this user; i don't even kept it ;)
>
> many thanks,
>
> stijn
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project