[Freeipa-users] Kerberos Utilities Integration

Hi IPA Users, What is the status of the IPA integration with Kerberos utilities such as kadmin (kadmin.local) and kdb5_util? Can they be used or are they not supported. If not supported maybe they should report an error or warning. It seems setting a user's password expiration with kadmin works in the short term, but is later overwritten perhaps by multi-master replication? I was testing password expiration and I set a value using kadmin modprinc yesterday and noticed today that the value has reverted back to what it was earlier. As an aside using ipa user-mod --setattr=krbPasswordExpiration=20180715011529Z is clumsy and admin user doesn't even have the privilege to execute it successfully. LDAP modify with directory manager has the privilege, but LDIF is even more clumsy. With kadmin.local modprinc I can use -pwexpire 1day. Also, importing an existing database of principals with password hashes would make migration from a standalone KDC much less painful. Any chance that feature is added at some point? Looks like one challenge might be what appears to be the 389 directory server storing user passwords in two separate fields (userPassword and krbPrincipalKey), which are presumably hashed differently. Ryan