Bug 498046

Summary: -p option for ipa-adduser doesn't work
Product: [Retired] freeIPA Reporter: Stefan Freyr Stefansson <stefan.freyr>
Component: ipa-admintoolsAssignee: Rob Crittenden <rcritten>
Status: CLOSED NOTABUG QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 1.2CC: benl, dpal, jgalipea, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-30 15:11:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stefan Freyr Stefansson 2009-04-28 16:08:05 UTC 
Description of problem:
When adding a user with ipa-adduser and specifying a password with the -p (or --password=) option, the user gets created but the user cannot login using that password. Only after calling ipa-passwd for the created user can the user log in.

Version-Release number of selected component (if applicable):
1.2.1

How reproducible:
Always

Steps to Reproduce:
1. create a user with "ipa-adduser -p testPwd testUser"
2. try to log the new user in using that password
  
Actual results:
Login fails.

Expected results:
Login should succeed.

Additional info:
Calling "ipa-passwd testUser" and setting the password there enables the user and after doing that he is able to log in. However, this doesn't work well for scripting since ipa-passwd doesn't support supplying the password as a parameter nor piping it into the application.
Comment 1 Rob Crittenden 2009-04-29 20:14:06 UTC 
How are you logging into another server? If you are using ssh you need to be sure to enable ChallengeResponseAuthentication in /etc/ssh/sshd.conf.

$ ipa-adduser -p secretpw2 tuser
First name: Tim
Last name: User
tuser successfully added
$ kinit tuser
Password for tuser: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
$ klist -5
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: tuser

Valid starting     Expires            Service principal
04/29/09 16:10:43  04/30/09 16:10:43  krbtgt/TEST.COM

$ rpm -q ipa-server
ipa-server-1.2.1-1.fc9.i386
Comment 2 Stefan Freyr Stefansson 2009-04-29 21:58:58 UTC 
Ahh... that's probably it.

We're not logging into a server... these users are just logging onto a wiki web that is using LDAP authentication against our IPA server.

So when the users are created, the passwords are created as expired... this actually makes sense for the most general application, when creating a user with a default password since it will force the user to change it at first logon.

However, in my case, the users don't have access to any servers and we haven't gotten around to setting up a webpage where they can set their own password.

Maybe adding an option to ipa-adduser would be an acceptable solution? This option would have the meaning "create a non-expired, valid password" as opposed to the default behavior of creating a user with an expired password (as is being done now).
Comment 3 Rob Crittenden 2009-04-30 14:46:44 UTC 
The idea is that when the password gets reset only the end user holds it. We have no plans to change this.

You can set the krbPasswordExpiration attribute to some point in the future to unexpire the password set at creation time.
Comment 4 Stefan Freyr Stefansson 2009-04-30 15:11:56 UTC 
ok... well we just created our own python script that does the same thing as ipa-passwd except that it accepts the password as a parameter... that solved this for us.