On 25/10/2016 10:50, Prasun Gera wrote:
When is principal expiration triggered ? I haven't set it explicitly
for any user, and ipa user-show doesn't show that attribute either.
I'm not very familiar with kerberos.
It doesn't show it unless it has been set. You can set it like this:
# ipa help user-mod
...
--principal-expiration=DATETIME
Kerberos principal expiration
(This is from IPA under CentOS 7. Older versions might not have this
feature at all).
And as you and David said earlier, if the principal expires, kinit
shouldn't work either, right ?
Yes I agree. I have just tried setting krbPasswordExpiration to a very
old time, using ldapmodify.
# ldapmodify -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: uid=bcandler,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
changetype: modify
replace: krbPasswordExpiration
krbPasswordExpiration: 20010101000000Z
-
^D
But this works for me:
$ sudo -s
[sudo] password for bcandler:
Password expired. Change your password now.
sudo: Account or password is expired, reset your password and try again
Current Password:
New password:
Retype new password:
#
But actually, I didn't try the web UI with an expired password yet. I'll
try that later.
Regards,
Brian.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project