Bug 498046 - -p option for ipa-adduser doesn't work
-p option for ipa-adduser doesn't work
Product: freeIPA
Classification: Community
Component: ipa-admintools (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
Depends On:
  Show dependency treegraph
Reported: 2009-04-28 12:08 EDT by Stefan Freyr Stefansson
Modified: 2015-01-04 18:38 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-04-30 11:11:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stefan Freyr Stefansson 2009-04-28 12:08:05 EDT
Description of problem:
When adding a user with ipa-adduser and specifying a password with the -p (or --password=) option, the user gets created but the user cannot login using that password. Only after calling ipa-passwd for the created user can the user log in.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. create a user with "ipa-adduser -p testPwd testUser"
2. try to log the new user in using that password
Actual results:
Login fails.

Expected results:
Login should succeed.

Additional info:
Calling "ipa-passwd testUser" and setting the password there enables the user and after doing that he is able to log in. However, this doesn't work well for scripting since ipa-passwd doesn't support supplying the password as a parameter nor piping it into the application.
Comment 1 Rob Crittenden 2009-04-29 16:14:06 EDT
How are you logging into another server? If you are using ssh you need to be sure to enable ChallengeResponseAuthentication in /etc/ssh/sshd.conf.

$ ipa-adduser -p secretpw2 tuser
First name: Tim
Last name: User
tuser successfully added
$ kinit tuser
Password for tuser@TEST.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
$ klist -5
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: tuser@TEST.COM

Valid starting     Expires            Service principal
04/29/09 16:10:43  04/30/09 16:10:43  krbtgt/TEST.COM@TEST.COM

$ rpm -q ipa-server
Comment 2 Stefan Freyr Stefansson 2009-04-29 17:58:58 EDT
Ahh... that's probably it.

We're not logging into a server... these users are just logging onto a wiki web that is using LDAP authentication against our IPA server.

So when the users are created, the passwords are created as expired... this actually makes sense for the most general application, when creating a user with a default password since it will force the user to change it at first logon.

However, in my case, the users don't have access to any servers and we haven't gotten around to setting up a webpage where they can set their own password.

Maybe adding an option to ipa-adduser would be an acceptable solution? This option would have the meaning "create a non-expired, valid password" as opposed to the default behavior of creating a user with an expired password (as is being done now).
Comment 3 Rob Crittenden 2009-04-30 10:46:44 EDT
The idea is that when the password gets reset only the end user holds it. We have no plans to change this.

You can set the krbPasswordExpiration attribute to some point in the future to unexpire the password set at creation time.
Comment 4 Stefan Freyr Stefansson 2009-04-30 11:11:56 EDT
ok... well we just created our own python script that does the same thing as ipa-passwd except that it accepts the password as a parameter... that solved this for us.

Note You need to log in before you can comment on or make changes to this bug.