[Freeipa-users] How to change krbPasswordExpiration for service accounts
Vitaly
linux at karasik.org
Tue Jul 2 13:21:37 UTC 2013
>if you want that the password never expires for some users you should
>created a password policy where the password never expires and assign
>the policy to the users.
Thank you, Sumit.
As far as I understand, I need to tweak krbPasswordExpiration anyway
if password was changed before password policy was applied.
>From another side, I have a weird issue with password policy:
#ipa user-show serviceinvoker --all
....
Member of groups: ...., services
#ipa pwpolicy-show services
Group: services
But
# ipa pwpolicy-show --user serviceinvoker
Group: global_policy
On Tue, Jul 2, 2013 at 4:07 PM, Sumit Bose <sbose at redhat.com> wrote:
> On Tue, Jul 02, 2013 at 03:41:54PM +0300, Vitaly wrote:
>> I already read
>> https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread,
>> but I am not sure I understand suggested solution.
>> So my question - how I can change krbPasswordExpiration for certain account?
>>
>> ipa user-mod service --setattr=krbPasswordExpiration=20381231011529Z
>
> if you want that the password never expires for some users you should
> created a password policy where the password never expires and assign
> the policy to the users.
>
> See 'ipa help pwpolicy' for more details.
>
> HTH
>
> bye,
> Sumit
>>
>> returns
>>
>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
>> 'krbPasswordExpiration' attribute of entry
>> 'uid=service,cn=users,cn=accounts,dc=example,dc=com'.
>>
>> TIA,
>> Vitaly
>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list