[Freeipa-users] Still trying to implement password expiration warnings

Eivind Olsen eivind at gluping.no
Fri Dec 23 10:43:33 UTC 2016 

Hello.

Earlier this year I tried to re-implement a "password expiration 
warning" email when using IPA 4.x. I hit a wall and ended up deciding to 
look at this later. Now is later :)

The plan is to use ldapsearch to check for krbLastPwdChange and compare 
it to krbPasswordExpiration, but these attributes seem to be hidden 
unless one is authenticating (through Kerberos?).

This is with RHEL 7 and IPA 4.2.0.

I have done:

# ipa service-add PWDREMIND/script.host.fqdn
# ipa-getkeytab -s script.host.fqdn -k /etc/gssproxy/pwdremind.keytab -p 
PWDREMIND/script.host.fqdn

...and I have a file /etc/gssproxy/pwdremind.keytab

I added a section to /etc/gssproxy/gssproxy.conf :

[service/PWDREMIND]
   mechs = krb5
   cred_store = client_keytab:/etc/gssproxy/pwdremind.keytab
   cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
   cred_usage = initiate
   euid = 0
   debug = true

In my "pwdcheck.sh" script I have the following:

#!/bin/bash
export GSS_USE_PROXY="yes"

ldapsearch -z 500 -Y GSSAPI -h ipa.host.fqdn -b 
cn=users,cn=accounts,dc=example,dc=net 
"(&(!(nsAccountLock=TRUE))(krbLastPwdChange<=$(date +%Y%m%d --date='-1 
week')000000Z)(krbPasswordExpiration<=$(date +%Y%m%d --date='+1 
week')000000Z))" uid |grep ^uid|cut -d: -f2 |while read uid
do
     ldapsearch -z 500 -Y GSSAPI -h ipa.host.fqdn -b 
cn=users,cn=accounts,dc=example,dc=net "uid=${uid}" mail|grep ^mail|cut 
-d: -f2 | while read mail
     do
         echo "password expires in less than a week: username=$uid 
mail=$mail"
     done
done

Checking the journalctl for gssproxy I get:

Dec 23 11:36:35 script.host.fqdn gssproxy[26977]: (OID: { 1 2 840 113554 
1 2 2 }) Unspecified GSS failure.  Minor code may provide more 
information, No credentials cache found
Dec 23 11:36:35 script.host.fqdn gssproxy[26976]: gssproxy[26977]: (OID: 
{ 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may 
provide more information, No credentials cache found

Does anyone see where things are going wrong here or have some 
suggestions on what I should try?

Regards
Eivind Olsen

More information about the Freeipa-users mailing list