Service Password expired after creation (#7) | Issues | scripts / FreeIPA

Open
Issue #7 · created by sebix about a year ago · about a year ago

Service Password expired after creation

Created a service using the freeipa-service-password.sh script:

[root@cerberos ~]# HOSTNAME=cerberos.fstph.at ./freeipa-scripts/freeipa-service-password.sh host.example.com sympa
Fetching information for host.example.com
Creating host host.example.com
--------------------------------------------
Added host "host.example.com"
--------------------------------------------
  Host name: host.example.com
  Principal name: host/host.example.com@FSTPH.AT
  Principal alias: host/host.example.com@FSTPH.AT
  SSH public key: ...
  SSH public key fingerprint: ...
  Password: False
  Keytab: False
  Managed by: host.example.com
[Principal alias]: sympa
-----------------------------------------------------------
Added new aliases to host "host.example.com"
-----------------------------------------------------------
  Host name: host.example.com
  Principal alias: host/host.example.com@FSTPH.AT, sympa@EXAMPLE.COM
Created service sympa/host.example.com
Service Bind DN: krbprincipalname=sympa/host.example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
Enabled login with generated password:

and tried using it:

# ldapsearch -D krbprincipalname=sympa/host.exampe.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com -W -LLL -b cn=users,cn=accounts,dc=example,dc=com uid -h ipa -p 389
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
        additional info: Password is expired.

How could the password be expired, when it was just newly created? In the password policy, the lifetime is set to 20000.

What could be the reason for the expired password?

Created a service using the `freeipa-service-password.sh` script:
```
[root@cerberos ~]# HOSTNAME=cerberos.fstph.at ./freeipa-scripts/freeipa-service-password.sh host.example.com sympa
Fetching information for host.example.com
Creating host host.example.com
--------------------------------------------
Added host "host.example.com"
--------------------------------------------
  Host name: host.example.com
  Principal name: host/host.example.com@FSTPH.AT
  Principal alias: host/host.example.com@FSTPH.AT
  SSH public key: ...
  SSH public key fingerprint: ...
  Password: False
  Keytab: False
  Managed by: host.example.com
[Principal alias]: sympa
-----------------------------------------------------------
Added new aliases to host "host.example.com"
-----------------------------------------------------------
  Host name: host.example.com
  Principal alias: host/host.example.com@FSTPH.AT, sympa@EXAMPLE.COM
Created service sympa/host.example.com
Service Bind DN: krbprincipalname=sympa/host.example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
Enabled login with generated password: 
```

and tried using it:

```
# ldapsearch -D krbprincipalname=sympa/host.exampe.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com -W -LLL -b cn=users,cn=accounts,dc=example,dc=com uid -h ipa -p 389
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
        additional info: Password is expired.
```

How could the password be expired, when it was just newly created?
In the password policy, the lifetime is set to 20000.

What could be the reason for the expired password?

1 participant

sebix @sebix about a year ago · about a year ago
The field krbPasswordExpiration needs to be deleted via LDAP before using the account. Then it works.
Write

Preview

The field `krbPasswordExpiration` needs to be deleted via LDAP before using the account. Then it works. Edit in fullscreen

Markdown tip: Inline code can be denoted by `surrounding it with backticks`

Attach a file

Cancel
sebix @sebix about a year ago · about a year ago
You can use this patch:

diff --git a/freeipa-service-password.sh b/freeipa-service-password.sh index 293eafd..f9c7cac 100755 --- a/freeipa-service-password.sh +++ b/freeipa-service-password.sh @@ -77,5 +77,10 @@ add: userPassword userPassword: $service_bindpw EOLDIF fi + ldapmodify -Q > /dev/null 2>&1 <<EOLDIF +dn: $service_binddn +changetype: modify +delete: krbPasswordExpiration +EOLDIF done

Forking a repository is not allowed here, so I can't create a Pull Request.
Write

Preview

You can use this patch: ```diff diff --git a/freeipa-service-password.sh b/freeipa-service-password.sh index 293eafd..f9c7cac 100755 --- a/freeipa-service-password.sh +++ b/freeipa-service-password.sh @@ -77,5 +77,10 @@ add: userPassword userPassword: $service_bindpw EOLDIF fi + ldapmodify -Q > /dev/null 2>&1 <<EOLDIF +dn: $service_binddn +changetype: modify +delete: krbPasswordExpiration +EOLDIF done ``` Forking a repository is not allowed here, so I can't create a Pull Request. Edit in fullscreen

Markdown tip: End a line with two or more spaces for a line-break, or soft-return

Attach a file

Cancel

Open Issue #7 · created by sebix about a year ago //<![CDATA[ $('.js-timeago').timeago() //]]> · about a year ago //<![CDATA[ $('.js-timeago').timeago() //]]>

Service Password expired after creation

Open
Issue #7 · created by sebix about a year ago · about a year ago