[Freeipa-users] CLIENT KEY EXPIRED right after an ipa-join

[Rob Crittenden]

Rob Crittenden wrote:
> Marc Schlinger wrote:
>> hello all,
>>
>> I'm doing bulk enrollment, with ipa-client-install -w mypassword .
>>
>> But after this command when I launch #id test-user, I see in the kdc 
>> log that the client key for my host principal has expired, and the 
>> command fails.
>>
>> This is because the host principal has the krbPasswordExpiration set 
>> to the time at wich the client join.
>>
>> Am'I missing a step or is this behaviour not normal?
> 
> I see the krbPasswordExpiration attribute getting set as you describe, 
> which is probably a side-effect from having a userPassword defined. I'll 
> see if I can remove this.
> 
> Otherwise I can't duplicate this behavior. My host principal is 
> technically expired but sssd works fine and I can kinit as the prinicpal 
> and use it against the management framework:
> 
> # kinit -kt /etc/krb5.keytab host/panther.example.com
> # getent passwd admin
> admin:*:1881057830:1881057830:Administrator:/home/admin:/bin/bash
> # id admin
> uid=1881057830(admin) gid=1881057830(admin) groups=1881057830(admin)
> # ipa user-show admin
>   User login: admin
>   Last name: Administrator
>   Home directory: /home/admin
>   Login shell: /bin/bash
>   Groups: admins
>   Rolegroups: replicaadmin
>   Taskgroups: managereplica, deletereplica
> 
> rob

Ok, I figured out why the expiration date was getting set. We have a 
pre-bind function that we use for migrating users imported from an LDAP 
server. The idea is that the first time you bind with your LDAP password 
it will create kerberos credentials for you if they don't exist.

We don't want to execute this when a host is enrolling with a one-time 
password. I added some code so it skips this in the case of a host 
principal. See ipa-devel for the patch.

rob