[Freeipa-users] Error setting krbpasswordexpiration using ipa user-mod
Rob Crittenden
rcritten at redhat.com
Tue Feb 23 15:37:16 UTC 2016
Karl Forner wrote:
> I forgot to say that I did a "kinit admin" before the ipa user-mod.
>
> On Tue, Feb 23, 2016 at 2:31 PM, Karl Forner <karl.forner at gmail.com
> <mailto:karl.forner at gmail.com>> wrote:
>
> Hello,
>
> I tried to postpone a password expiration date, as indicated here:
> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pwd-expiration.html
>
> % ipa user-mod myuser --setattr=krbpasswordexpiration=20170301121443Z
>
> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to
> the 'krbPasswordExpiration' attribute of entry
> 'uid=myuser,cn=users,cn=accounts,dc=quartzbio,dc=com'.
>
> Is this expected ? What is the canonical way of doing this ?
The docs you are referring to are quite old: 5 full Fedora releases,
several IPA releases.
To fix you'd need to add a new ACI that grants write access to this
attribute in the user container.
You can either do this via the permission/privilege/role route and add
the admins gropu to the new role, or you can directly add an ACI (more
direct but also less supportable and error-prone).
rob
More information about the Freeipa-users
mailing list