Hi IPA Users,
What is the status of the IPA integration with Kerberos utilities such as kadmin
(kadmin.local) and kdb5_util? Can they be used or are they not supported. If not
supported maybe they should report an error or warning.
It seems setting a user's password expiration with kadmin works in the short term, but
is later overwritten perhaps by multi-master replication? I was testing password
expiration and I set a value using kadmin modprinc yesterday and noticed today that the
value has reverted back to what it was earlier. As an aside using ipa user-mod
--setattr=krbPasswordExpiration=20180715011529Z is clumsy and admin user doesn't even
have the privilege to execute it successfully. LDAP modify with directory manager has the
privilege, but LDIF is even more clumsy. With kadmin.local modprinc I can use -pwexpire
1day.
Also, importing an existing database of principals with password hashes would make
migration from a standalone KDC much less painful. Any chance that feature is added at
some point? Looks like one challenge might be what appears to be the 389 directory server
storing user passwords in two separate fields (userPassword and krbPrincipalKey), which
are presumably hashed differently.
Ryan