[Freeipa-users] How to change krbPasswordExpiration for service accounts

Vitaly linux at karasik.org
Tue Jul 2 13:43:46 UTC 2013 

# ipa user-show --all serviceinvoker |grep krbpwdpolicyreference
  krbpwdpolicyreference:
cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com

On Tue, Jul 2, 2013 at 4:32 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Vitaly wrote:
>>>
>>> if you want that the password never expires for some users you should
>>> created a password policy where the password never expires and assign
>>> the policy to the users.
>>
>> Thank you, Sumit.
>> As far as I understand, I need to tweak krbPasswordExpiration anyway
>> if password was changed before password policy was applied.
>>
>>> From another side, I have a weird issue with password policy:
>>
>>
>> #ipa user-show  serviceinvoker  --all
>> ....
>>    Member of groups: ...., services
>>
>> #ipa pwpolicy-show services
>>    Group: services
>>
>> But
>> # ipa pwpolicy-show --user serviceinvoker
>>    Group: global_policy
>
>
> Curious. We'd need to see more details of the password policy, priority for
> example.
>
> Does this show the right policy?
>
> ipa user-show --all serviceinvoker |grep krbpwdpolicyreference
>
>
>>
>> On Tue, Jul 2, 2013 at 4:07 PM, Sumit Bose <sbose at redhat.com> wrote:
>>>
>>> On Tue, Jul 02, 2013 at 03:41:54PM +0300, Vitaly wrote:
>>>>
>>>> I already read
>>>>
>>>> https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread,
>>>> but I am not sure I understand suggested solution.
>>>> So my question - how I can change krbPasswordExpiration for certain
>>>> account?
>>>>
>>>> ipa user-mod service  --setattr=krbPasswordExpiration=20381231011529Z
>>>
>>>
>>> if you want that the password never expires for some users you should
>>> created a password policy where the password never expires and assign
>>> the policy to the users.
>>>
>>> See 'ipa help pwpolicy' for more details.
>>>
>>> HTH
>>>
>>> bye,
>>> Sumit
>>>>
>>>>
>>>> returns
>>>>
>>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
>>>> 'krbPasswordExpiration' attribute of entry
>>>> 'uid=service,cn=users,cn=accounts,dc=example,dc=com'.
>>>>
>>>> TIA,
>>>> Vitaly
>>>
>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>

More information about the Freeipa-users mailing list