[Freeipa-users] CLIENT KEY EXPIRED right after an ipa-join
Rob Crittenden
rcritten at redhat.com
Fri Jun 11 18:23:40 UTC 2010
Marc Schlinger wrote:
> hello all,
>
> I'm doing bulk enrollment, with ipa-client-install -w mypassword .
>
> But after this command when I launch #id test-user, I see in the kdc log
> that the client key for my host principal has expired, and the command
> fails.
>
> This is because the host principal has the krbPasswordExpiration set to
> the time at wich the client join.
>
> Am'I missing a step or is this behaviour not normal?
I see the krbPasswordExpiration attribute getting set as you describe,
which is probably a side-effect from having a userPassword defined. I'll
see if I can remove this.
Otherwise I can't duplicate this behavior. My host principal is
technically expired but sssd works fine and I can kinit as the prinicpal
and use it against the management framework:
# kinit -kt /etc/krb5.keytab host/panther.example.com
# getent passwd admin
admin:*:1881057830:1881057830:Administrator:/home/admin:/bin/bash
# id admin
uid=1881057830(admin) gid=1881057830(admin) groups=1881057830(admin)
# ipa user-show admin
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Groups: admins
Rolegroups: replicaadmin
Taskgroups: managereplica, deletereplica
rob
More information about the Freeipa-users
mailing list