scripts/FreeIPA
Archived
1
0
Fork 0
Code Issues 4 Activity

Service Password expired after creation #4

New Issue
Open
opened 2026-01-01 17:04:50 +00:00 by jfl · 0 comments
jfl commented 2026-01-01 17:04:50 +00:00
Owner
Copy Link

Ticket created on the old Gitlab by @sebix on 2024-02-03:

Created a service using the freeipa-service-password.sh script:

[root@cerberos ~]# HOSTNAME=cerberos.fstph.at ./freeipa-scripts/freeipa-service-password.sh host.example.com sympa
Fetching information for host.example.com
Creating host host.example.com
--------------------------------------------
Added host "host.example.com"
--------------------------------------------
  Host name: host.example.com
  Principal name: host/host.example.com@FSTPH.AT
  Principal alias: host/host.example.com@FSTPH.AT
  SSH public key: ...
  SSH public key fingerprint: ...
  Password: False
  Keytab: False
  Managed by: host.example.com
[Principal alias]: sympa
-----------------------------------------------------------
Added new aliases to host "host.example.com"
-----------------------------------------------------------
  Host name: host.example.com
  Principal alias: host/host.example.com@FSTPH.AT, sympa@EXAMPLE.COM
Created service sympa/host.example.com
Service Bind DN: krbprincipalname=sympa/host.example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
Enabled login with generated password:

and tried using it:

# ldapsearch -D krbprincipalname=sympa/host.exampe.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com -W -LLL -b cn=users,cn=accounts,dc=example,dc=com uid -h ipa -p 389
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
        additional info: Password is expired.

How could the password be expired, when it was just newly created? In the password policy, the lifetime is set to 20000.

What could be the reason for the expired password?

The field krbPasswordExpiration needs to be deleted via LDAP before using the account. Then it works.

You can use this patch:

diff --git a/freeipa-service-password.sh b/freeipa-service-password.sh
index 293eafd..f9c7cac 100755
--- a/freeipa-service-password.sh
+++ b/freeipa-service-password.sh
@@ -77,5 +77,10 @@ add: userPassword
 userPassword: $service_bindpw
 EOLDIF
     fi
+    ldapmodify -Q > /dev/null 2>&1 <<EOLDIF
+dn: $service_binddn
+changetype: modify
+delete: krbPasswordExpiration
+EOLDIF
 done

Forking a repository is not allowed here, so I can't create a Pull Request.

_Ticket created on the old Gitlab by **@sebix** on 2024-02-03:_ Created a service using the freeipa-service-password.sh script: ``` [root@cerberos ~]# HOSTNAME=cerberos.fstph.at ./freeipa-scripts/freeipa-service-password.sh host.example.com sympa Fetching information for host.example.com Creating host host.example.com -------------------------------------------- Added host "host.example.com" -------------------------------------------- Host name: host.example.com Principal name: host/host.example.com@FSTPH.AT Principal alias: host/host.example.com@FSTPH.AT SSH public key: ... SSH public key fingerprint: ... Password: False Keytab: False Managed by: host.example.com [Principal alias]: sympa ----------------------------------------------------------- Added new aliases to host "host.example.com" ----------------------------------------------------------- Host name: host.example.com Principal alias: host/host.example.com@FSTPH.AT, sympa@EXAMPLE.COM Created service sympa/host.example.com Service Bind DN: krbprincipalname=sympa/host.example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com Enabled login with generated password: ``` and tried using it: ``` # ldapsearch -D krbprincipalname=sympa/host.exampe.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com -W -LLL -b cn=users,cn=accounts,dc=example,dc=com uid -h ipa -p 389 Enter LDAP Password: ldap_bind: Invalid credentials (49) additional info: Password is expired. ``` How could the password be expired, when it was just newly created? In the password policy, the lifetime is set to 20000. What could be the reason for the expired password? --- The field krbPasswordExpiration needs to be deleted via LDAP before using the account. Then it works. --- You can use this patch: ``` diff --git a/freeipa-service-password.sh b/freeipa-service-password.sh index 293eafd..f9c7cac 100755 --- a/freeipa-service-password.sh +++ b/freeipa-service-password.sh @@ -77,5 +77,10 @@ add: userPassword userPassword: $service_bindpw EOLDIF fi + ldapmodify -Q > /dev/null 2>&1 <<EOLDIF +dn: $service_binddn +changetype: modify +delete: krbPasswordExpiration +EOLDIF done ``` Forking a repository is not allowed here, so I can't create a Pull Request.
This repo is archived. You cannot comment on issues.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something is not working
 duplicate
This issue or pull request already exists
 enhancement
New feature
 help wanted
Need some help
 invalid
Something is wrong
 question
More information is needed
 wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
jfl
No Assignees
1 Participants
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: scripts/FreeIPA#4
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?