[Freeipa-users] change min and max lifetime of random password

[Rob Crittenden]

Stijn De Weirdt wrote:
> hi alexander,
>
>>> ity would be good anyway to have a script that checks all hosts that
>>> have not enrolled yet how old the issued password is (even after
>>> expiration). very useful to spot the state of ongoing deployments and
>>> to spot problems. how can one obtain the creation time of the
>>> password? fetch the timestamp from LDAP or is there a nice ipa API for
>>> it?
>> Since host object is a Kerberos principal, it has krbLastSuccessfulAuth
>> and krbLastPwdChange attributes.
>>
>> ipa host-show host.name --all --raw
>>
>> will give you their values.
>>
>> # ipa host-show `hostname` --all --raw |grep krbLast
>>    krbLastPwdChange: 20140213123016Z
>>    krbLastSuccessfulAuth: 20140325073031Z
>>
>>
> this does not seem to work on a host that has the random password set
> (or set a few times), but no keytab was created or other form of
> authentication:
>> ipa host-show test.test --all --raw |grep -E 'krb|has_'
>>   has_password: True
>>   has_keytab: False
>>   krbExtraData: AAI3mDRTcm9vdC9hZG1pbkB
>>   krbPrincipalName: host/test.test at TEST
>>   objectClass: krbprincipalaux
>>   objectClass: krbprincipal
>
> (this is freeipa 3.3.3 on rhel7 beta)

Right, because it doesn't have Kerberos credentials yet, just a 
password. We apparently don't set any dates when setting only the host 
password. Which also means password policy probably wouldn't apply 
correctly even if you were able to set one. And I guess the question is, 
should we?

If so we'd need to always add the krbPrincipalAux objectclass and set 
this value in the password plugin.

rob