[Freeipa-users] ipa-getkeytab and mandatory password change
Dmitri Pal
dpal at redhat.com
Tue Jun 19 09:54:23 UTC 2012
On 06/18/2012 11:58 AM, Darran Lofthouse wrote:
> Just experienced some weird behaviour on my Fedora 17 installation,
> just wanted to check if this was expected.
>
> I have the default config that requires a user to change their
> password the first time they run kinit.
>
> However I created a user and immediately used ipa-getkeytab as this
> user will be a non-interactive process, despite the ipa-getkeytab
> resetting the secret for the user the first attempt at authentication
> failed as the user was still told to change their password.
>
I do not think we have anticipated this use. The ipa-getkeytab is
designed for the host and services keytabs not for users. I suggest that
use a service principal rather than a user principal to run those jobs.
You can also file an RFE to allow keytabs for users if you think that
services would not work for you.
> My expectation would have been that any update to the secret should
> meet the requirement for the user to change their password.
>
> Regards,
> Darran Lofthouse.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list