The same thing has happened to me. It's in the --raw data, but not in --all. Everything was fine in CentOS 6.x, but CentOS 8.x bombed my scripts with this.
raymond.spangle--- via FreeIPA-users wrote:
The same thing has happened to me. Itâs in the --raw data, but not in --all.  Everything was fine in CentOS 6.x, but CentOS 8.x bombed my scripts with this.
It works for me in RHEL 8.2.0.
$ ipa user-show tuser dn: uid=tuser,cn=users,cn=accounts,dc=example,dc=test User login: tuser First name: tim Last name: user Full name: tim user Display name: tim user Initials: tu Home directory: /home/tuser GECOS: tim user Login shell: /bin/sh Principal name: tuser@EXAMPLE.TEST Principal alias: tuser@EXAMPLE.TEST User password expiration: 20200727190231Z ...
rob
Thanks for responding.
I was using user-find due to experiencing multiple matches under user-show. But, either way, no flags or only --all do not show this field, anymore, but --all and --raw together will include it for both user-show and user-find. And, this is on the client side, not the server side, because that all that has changed, here.
I have tried using the original method I was using on CentOS 6 with a dedicated user (autoaudit) using a keytab. I have also tried using admin and kinit'ing manually. Nothing seems to matter for this lack of field.
New machine with this issue, using admin just to show:
[root@rches DATA-2.0]# ipa --version VERSION: 4.8.4, API_VERSION: 2.235 [root@rches DATA-2.0]# cat /etc/redhat-release CentOS Linux release 8.2.2004 (Core) [root@rches DATA-2.0]# klist Ticket cache: KCM:0 Default principal: autoaudit@FIS.VZBI.LOCAL
Valid starting Expires Service principal 07/27/2020 09:50:14 07/28/2020 09:50:13 HTTP/rch-freeipa-199-81.fis.vzbi.local@FIS.VZBI.LOCAL 07/27/2020 09:50:13 07/28/2020 09:50:13 krbtgt/FIS.VZBI.LOCAL@FIS.VZBI.LOCAL [root@rches DATA-2.0]# kdestroy -A [root@rches DATA-2.0]# klist klist: Credentials cache 'KCM:0' not found [root@rches DATA-2.0]# kinit admin Password for admin@FIS.VZBI.LOCAL: [root@rches DATA-2.0]# /usr/bin/ipa user-show v808052 User login: v808052 First name: Raymond Last name: Spangle Home directory: /home/remote/v808052 Login shell: /bin/bash Principal name: v808052@FIS.VZBI.LOCAL Principal alias: v808052@FIS.VZBI.LOCAL Email address: [REDACTED], [REDACTED] UID: 859400151 GID: 859400151 Account disabled: False Password: True Member of groups: ipausers, admins, dev-releases-ssh-read-write, trust admins, esusergroup, dev-releases-dev Roles: User Administrator Member of Sudo rule: ESrules, ALL Indirect Member of Sudo rule: QAEnv0rules, MSS-VRRdev_env, QAEnv3rules, devopsrule, QAENV1rules, QAEnv5rules, PLCErules, stagingrules, essudorule, mcs_all, oemdb, mss-db-dev-sudorules, Dev-MSS-Sudo, QArules Indirect Member of HBAC rule: QA, DEVHBAC, ESHBAC, developers, QAENV0, QAEnv1, PLCE, QAEnv5, QAEnv3, dev-releases, Staging Kerberos keys available: True [root@rches DATA-2.0]# /usr/bin/ipa user-find --login v808052 --all -------------- 1 user matched -------------- dn: uid=v808052,cn=users,cn=accounts,dc=fis,dc=vzbi,dc=local User login: v808052 First name: Raymond Last name: Spangle Full name: Raymond Spangle Display name: Raymond Spangle Initials: RS Home directory: /home/remote/v808052 GECOS: Raymond Spangle Login shell: /bin/bash Principal name: v808052@FIS.VZBI.LOCAL Principal alias: v808052@FIS.VZBI.LOCAL User password expiration: 20220311151418Z Email address: [REDACTED], [REDACTED] UID: 859400151 GID: 859400151 Car License: Valid User Account disabled: False Preserved user: False Member of groups: admins, ipausers, trust admins, esusergroup, dev-releases-dev, dev-releases-ssh-read-write Roles: User Administrator Member of Sudo rule: ALL, QArules, PLCErules, stagingrules, QAENV1rules, QAEnv5rules, QAEnv3rules, QAEnv0rules, devopsrule, mcs_all, MSS-VRRdev_env, Dev-MSS-Sudo, ESrules, essudorule, mss-db-dev-sudorules, oemdb Member of HBAC rule: developers, QA, DEVHBAC, PLCE, Staging, QAEnv1, QAEnv5, QAEnv3, QAENV0, ESHBAC, dev-releases ipauniqueid: e753da96-07df-11e8-ae98-005056bbca2d krbextradata: AAJK4YhddjgwODA1MkBGSVMuVlpCSS5MT0NBTAA= krblastadminunlock: 20190405232137Z krblastfailedauth: 20200720144235Z krblastpwdchange: 20190923151418Z krbloginfailedcount: 0 krbticketflags: 128 mepmanagedentry: cn=v808052,cn=groups,cn=accounts,dc=fis,dc=vzbi,dc=local objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry ---------------------------- Number of entries returned 1 ----------------------------
[root@rches DATA-2.0]# /usr/bin/ipa user-find --login v808052 --all --raw -------------- 1 user matched -------------- dn: uid=v808052,cn=users,cn=accounts,dc=fis,dc=vzbi,dc=local uid: v808052 givenname: Raymond sn: Spangle cn: Raymond Spangle initials: RS homedirectory: /home/remote/v808052 gecos: Raymond Spangle loginshell: /bin/bash krbcanonicalname: v808052@FIS.VZBI.LOCAL krbprincipalname: v808052@FIS.VZBI.LOCAL mail: [REDACTED] mail: [REDACTED] uidnumber: 859400151 gidnumber: 859400151 nsaccountlock: FALSE carLicense: Valid User displayName: Raymond Spangle ipaUniqueID: e753da96-07df-11e8-ae98-005056bbca2d krbExtraData: AAJK4YhddjgwODA1MkBGSVMuVlpCSS5MT0NBTAA= krbLastAdminUnlock: 20190405232137Z krbLastFailedAuth: 20200720144235Z krbLastPwdChange: 20190923151418Z krbLoginFailedCount: 0 krbPasswordExpiration: 20220311151418Z krbTicketFlags: 128 memberOf: ipaUniqueID=8031d79c-cb89-11e7-981b-005056bbca2d,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: cn=admins,cn=groups,cn=accounts,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=02381bbe-cab5-11e7-b953-005056bb0834,cn=hbac,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=c3c1cbda-cab6-11e7-bfdf-005056bb0834,cn=hbac,dc=fis,dc=vzbi,dc=local memberOf: cn=Replication Administrators,cn=privileges,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=Read DNA Range,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=Host Enrollment,cn=privileges,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Manage Host Principals,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=57723a32-00e9-11e8-bdbc-005056bbca2d,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=0e5a1f3c-00f2-11e8-bdbb-005056bbca2d,cn=hbac,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=4fa4ef98-1886-11e8-b083-005056bbca2d,cn=hbac,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=9aa747b6-1886-11e8-815a-005056bbca2d,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=68eba6ea-1dea-11e8-8730-005056bbca2d,cn=hbac,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=90981232-1dea-11e8-8730-005056bbca2d,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=e3f34c94-2678-11e8-8762-005056bbca2d,cn=hbac,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=55de81ac-2679-11e8-a562-005056bbca2d,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=492186ac-2cd8-11e8-81dc-005056bb0834,cn=hbac,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=6fa1044c-2cd8-11e8-a79e-005056bb0834,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=4ce6f314-2da3-11e8-81dc-005056bb0834,cn=hbac,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=cbf22368-2da3-11e8-b6c9-005056bb0834,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=3352990a-317a-11e8-94cc-005056bbca2d,cn=hbac,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=522bb7bc-317a-11e8-b3a6-005056bbca2d,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=7934b142-3323-11e8-9d39-005056bbca2d,cn=hbac,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=27eabaac-51b4-11e8-9d39-005056bbca2d,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=72ad26de-62f7-11e8-b3a6-005056bbca2d,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=5819a142-1b7c-11e9-b56e-005056bbca2d,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=609e609e-23e9-11e9-93ba-005056bbca2d,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: cn=ipausers,cn=groups,cn=accounts,dc=fis,dc=vzbi,dc=local memberOf: cn=trust admins,cn=groups,cn=accounts,dc=fis,dc=vzbi,dc=local memberOf: cn=User Administrator,cn=roles,cn=accounts,dc=fis,dc=vzbi,dc=local memberOf: cn=User Administrators,cn=privileges,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Add User to default group,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Add Users,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Change User password,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Manage User Certificates,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Manage User Principals,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Modify Users,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Read User Kerberos Login Attributes,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Remove Users,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Unlock User,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Read Radius Servers,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=Group Administrators,cn=privileges,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Add Groups,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Modify External Group Membership,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Modify Group Membership,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Modify Groups,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Remove Groups,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=Stage User Administrators,cn=privileges,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Add Stage User,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Modify Preserved Users,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Modify Stage User,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Modify User RDN,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Preserve User,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Read Preserved Users,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Read Stage User password,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Read Stage Users,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Remove Stage User,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Remove preserved User,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Reset Preserved User password,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: cn=System: Undelete User,cn=permissions,cn=pbac,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=80465e04-331e-11e8-adec-005056bbca2d,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: cn=esusergroup,cn=groups,cn=accounts,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=6f8502f6-3331-11e8-9d39-005056bbca2d,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=493735d4-42cb-11e8-9d39-005056bbca2d,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=0e5a8154-4790-11e8-815a-005056bbca2d,cn=sudorules,cn=sudo,dc=fis,dc=vzbi,dc=local memberOf: cn=dev-releases-dev,cn=groups,cn=accounts,dc=fis,dc=vzbi,dc=local memberOf: cn=dev-releases-ssh-read-write,cn=groups,cn=accounts,dc=fis,dc=vzbi,dc=local memberOf: ipaUniqueID=926daccc-a74d-11ea-aa32-005056aa1263,cn=hbac,dc=fis,dc=vzbi,dc=local mepManagedEntry: cn=v808052,cn=groups,cn=accounts,dc=fis,dc=vzbi,dc=local objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry ---------------------------- Number of entries returned 1 ---------------------------- [root@rches DATA-2.0]#
On the old machine, all still works wonderfully using only --all . Here are its specs:
[root@rches-old save]# rpm -qa | grep ^ipa ipa-client-3.0.0-51.el6.centos.x86_64 ipa-admintools-3.0.0-51.el6.centos.x86_64 ipa-python-3.0.0-51.el6.centos.x86_64 [root@rches-old save]# cat /etc/redhat redhat-lsb/ redhat-release@ [root@rches-old save]# cat /etc/redhat-release CentOS release 6.10 (Final) [root@rches-old save]#
The problem specifically for my scripts is that using --raw to show these fields also seems to now show everything in different cases, between the two versions, e.g.:
krblastfailedauth: 20200720144235Z krblastpwdchange: 20190923151418Z
versus:
krbLastFailedAuth: 20200720144235Z krbLastPwdChange: 20190923151418Z
So, I have a work-around, by forcing the --raw and re-writing my scripts to use these new field names, but... if there is a bug somewhere that is "fixed" later on... and it breaks my fixes... whew. Triple the work, for me.
-------------------------------------------------. Raymond.Spangle@verizon.com | Verizon +1-214-448-9648 | MTS IV Cslt-Sys Engrg `----------------------------------------- --- -- -
-----Original Message----- From: Rob Crittenden [mailto:rcritten@redhat.com] Sent: Monday, July 27, 2020 2:04 PM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Spangle II, Raymond D raymond.spangle@one.verizon.com Subject: [E] Re: [Freeipa-users] Re: krbpasswordexpiration field gone from "ipa user-show" ?
raymond.spangle--- via FreeIPA-users wrote:
The same thing has happened to me. It’s in the --raw data, but not in --all.  Everything was fine in CentOS 6.x, but CentOS 8.x bombed my scripts with this.
It works for me in RHEL 8.2.0.
$ ipa user-show tuser dn: uid=tuser,cn=users,cn=accounts,dc=example,dc=test User login: tuser First name: tim Last name: user Full name: tim user Display name: tim user Initials: tu Home directory: /home/tuser GECOS: tim user Login shell: /bin/sh Principal name: tuser@EXAMPLE.TEST Principal alias: tuser@EXAMPLE.TEST User password expiration: 20200727190231Z ...
rob
freeipa-users@lists.fedorahosted.org