[Freeipa-users] ipa-getkeytab and mandatory password change
Stephen Ingram
sbingram at gmail.com
Tue Jun 19 18:12:17 UTC 2012
On Tue, Jun 19, 2012 at 9:55 AM, Simo Sorce <simo at redhat.com> wrote:
> On Tue, 2012-06-19 at 09:15 -0700, Stephen Ingram wrote:
>> On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal <dpal at redhat.com> wrote:
>> > On 06/18/2012 11:58 AM, Darran Lofthouse wrote:
>> >> Just experienced some weird behaviour on my Fedora 17 installation,
>> >> just wanted to check if this was expected.
>> >>
>> >> I have the default config that requires a user to change their
>> >> password the first time they run kinit.
>> >>
>> >> However I created a user and immediately used ipa-getkeytab as this
>> >> user will be a non-interactive process, despite the ipa-getkeytab
>> >> resetting the secret for the user the first attempt at authentication
>> >> failed as the user was still told to change their password.
>> >>
>> >
>> >
>> > I do not think we have anticipated this use. The ipa-getkeytab is
>> > designed for the host and services keytabs not for users. I suggest that
>> > use a service principal rather than a user principal to run those jobs.
>> > You can also file an RFE to allow keytabs for users if you think that
>> > services would not work for you.
>> >
>> >> My expectation would have been that any update to the secret should
>> >> meet the requirement for the user to change their password.
>>
>> Darren-
>>
>> I'm not sure if you went further with this, but if you do change the
>> password through other means, you then will be able to get a copy of
>> the keytab for the user with ipa-getkeytab. I tried it out because the
>> thought of not being able to get a keytab for a user was concerning. I
>> agree that the service keytabs make more sense for these instances (I
>> was also told this by Simo in another thread), but I keep being told
>> by the application people that I need to use a user principal, which,
>> thankfully works.
>
> Ask them why, I am curious about the requirement.
I'm still waiting for responses. The only thing I've been told thus
far is that since there are multiple processes authenticating to their
respective servers, it might be difficult to direct each to the proper
credential cache. If you use one user to auth to each server process
then there is only one credential cache.
Steve
More information about the Freeipa-users
mailing list