Re: [Freeipa-users] How to change krbPasswordExpiration for service accounts
# ipa user-show --all serviceinvoker |grep krbpwdpolicyreference krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com On Tue, Jul 2, 2013 at 4:32 PM, Rob Crittenden wrote: > Vitaly wrote: >>> >>> if you want that the password never expires for some users you should >>> created a password policy where the password never expires and assign >>> the policy to the users. >> >> Thank you, Sumit. >> As far as I understand, I need to tweak krbPasswordExpiration anyway >> if password was changed before password policy was applied. >> >>> From another side, I have a weird issue with password policy: >> >> >> #ipa user-show serviceinvoker --all >> >>Member of groups: , services >> >> #ipa pwpolicy-show services >>Group: services >> >> But >> # ipa pwpolicy-show --user serviceinvoker >>Group: global_policy > > > Curious. We'd need to see more details of the password policy, priority for > example. > > Does this show the right policy? > > ipa user-show --all serviceinvoker |grep krbpwdpolicyreference > > >> >> On Tue, Jul 2, 2013 at 4:07 PM, Sumit Bose wrote: >>> >>> On Tue, Jul 02, 2013 at 03:41:54PM +0300, Vitaly wrote: I already read https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread, but I am not sure I understand suggested solution. So my question - how I can change krbPasswordExpiration for certain account? ipa user-mod service --setattr=krbPasswordExpiration=20381231011529Z >>> >>> >>> if you want that the password never expires for some users you should >>> created a password policy where the password never expires and assign >>> the policy to the users. >>> >>> See 'ipa help pwpolicy' for more details. >>> >>> HTH >>> >>> bye, >>> Sumit returns ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=service,cn=users,cn=accounts,dc=example,dc=com'. TIA, Vitaly >>> >>> ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> ___ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to change krbPasswordExpiration for service accounts
Vitaly wrote: if you want that the password never expires for some users you should created a password policy where the password never expires and assign the policy to the users. Thank you, Sumit. As far as I understand, I need to tweak krbPasswordExpiration anyway if password was changed before password policy was applied. From another side, I have a weird issue with password policy: #ipa user-show serviceinvoker --all Member of groups: , services #ipa pwpolicy-show services Group: services But # ipa pwpolicy-show --user serviceinvoker Group: global_policy Curious. We'd need to see more details of the password policy, priority for example. Does this show the right policy? ipa user-show --all serviceinvoker |grep krbpwdpolicyreference On Tue, Jul 2, 2013 at 4:07 PM, Sumit Bose wrote: On Tue, Jul 02, 2013 at 03:41:54PM +0300, Vitaly wrote: I already read https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread, but I am not sure I understand suggested solution. So my question - how I can change krbPasswordExpiration for certain account? ipa user-mod service --setattr=krbPasswordExpiration=20381231011529Z if you want that the password never expires for some users you should created a password policy where the password never expires and assign the policy to the users. See 'ipa help pwpolicy' for more details. HTH bye, Sumit returns ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=service,cn=users,cn=accounts,dc=example,dc=com'. TIA, Vitaly ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to change krbPasswordExpiration for service accounts
>if you want that the password never expires for some users you should >created a password policy where the password never expires and assign >the policy to the users. Thank you, Sumit. As far as I understand, I need to tweak krbPasswordExpiration anyway if password was changed before password policy was applied. >From another side, I have a weird issue with password policy: #ipa user-show serviceinvoker --all Member of groups: , services #ipa pwpolicy-show services Group: services But # ipa pwpolicy-show --user serviceinvoker Group: global_policy On Tue, Jul 2, 2013 at 4:07 PM, Sumit Bose wrote: > On Tue, Jul 02, 2013 at 03:41:54PM +0300, Vitaly wrote: >> I already read >> https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread, >> but I am not sure I understand suggested solution. >> So my question - how I can change krbPasswordExpiration for certain account? >> >> ipa user-mod service --setattr=krbPasswordExpiration=20381231011529Z > > if you want that the password never expires for some users you should > created a password policy where the password never expires and assign > the policy to the users. > > See 'ipa help pwpolicy' for more details. > > HTH > > bye, > Sumit >> >> returns >> >> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the >> 'krbPasswordExpiration' attribute of entry >> 'uid=service,cn=users,cn=accounts,dc=example,dc=com'. >> >> TIA, >> Vitaly > >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to change krbPasswordExpiration for service accounts
On Tue, Jul 02, 2013 at 03:41:54PM +0300, Vitaly wrote: > I already read > https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread, > but I am not sure I understand suggested solution. > So my question - how I can change krbPasswordExpiration for certain account? > > ipa user-mod service --setattr=krbPasswordExpiration=20381231011529Z if you want that the password never expires for some users you should created a password policy where the password never expires and assign the policy to the users. See 'ipa help pwpolicy' for more details. HTH bye, Sumit > > returns > > ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the > 'krbPasswordExpiration' attribute of entry > 'uid=service,cn=users,cn=accounts,dc=example,dc=com'. > > TIA, > Vitaly > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to change krbPasswordExpiration for service accounts
>I already read >https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.html >>thread, but I am not sure I understand suggested solution. >So my question - how I can change krbPasswordExpiration for certain account? >ipa user-mod service --setattr=krbPasswordExpiration=20381231011529Z >returns >ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the >'krbPasswordExpiration' attribute >of entry >'uid=service,cn=users,cn=accounts,dc=example,dc=com'. Sorry, my bad, please ignore - ldapmodify workaround works, ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] How to change krbPasswordExpiration for service accounts
I already read https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread, but I am not sure I understand suggested solution. So my question - how I can change krbPasswordExpiration for certain account? ipa user-mod service --setattr=krbPasswordExpiration=20381231011529Z returns ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=service,cn=users,cn=accounts,dc=example,dc=com'. TIA, Vitaly ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
