498046 – -p option for ipa-adduser doesn't work

Bug 498046 - -p option for ipa-adduser doesn't work

Summary: -p option for ipa-adduser doesn't work

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	freeIPA
Classification:	Retired
Component:	ipa-admintools
Sub Component:
Version:	1.2
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-04-28 16:08 UTC by Stefan Freyr Stefansson
Modified:	2015-01-04 23:38 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-04-30 15:11:56 UTC
Embargoed:

Attachments	(Terms of Use)

Description Stefan Freyr Stefansson 2009-04-28 16:08:05 UTC

Description of problem:
When adding a user with ipa-adduser and specifying a password with the -p (or --password=) option, the user gets created but the user cannot login using that password. Only after calling ipa-passwd for the created user can the user log in.

Version-Release number of selected component (if applicable):
1.2.1

How reproducible:
Always

Steps to Reproduce:
1. create a user with "ipa-adduser -p testPwd testUser"
2. try to log the new user in using that password
  
Actual results:
Login fails.

Expected results:
Login should succeed.

Additional info:
Calling "ipa-passwd testUser" and setting the password there enables the user and after doing that he is able to log in. However, this doesn't work well for scripting since ipa-passwd doesn't support supplying the password as a parameter nor piping it into the application.

Comment 1 Rob Crittenden 2009-04-29 20:14:06 UTC

How are you logging into another server? If you are using ssh you need to be sure to enable ChallengeResponseAuthentication in /etc/ssh/sshd.conf.

$ ipa-adduser -p secretpw2 tuser
First name: Tim
Last name: User
tuser successfully added
$ kinit tuser
Password for tuser: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
$ klist -5
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: tuser

Valid starting     Expires            Service principal
04/29/09 16:10:43  04/30/09 16:10:43  krbtgt/TEST.COM

$ rpm -q ipa-server
ipa-server-1.2.1-1.fc9.i386

Comment 2 Stefan Freyr Stefansson 2009-04-29 21:58:58 UTC

Ahh... that's probably it.

We're not logging into a server... these users are just logging onto a wiki web that is using LDAP authentication against our IPA server.

So when the users are created, the passwords are created as expired... this actually makes sense for the most general application, when creating a user with a default password since it will force the user to change it at first logon.

However, in my case, the users don't have access to any servers and we haven't gotten around to setting up a webpage where they can set their own password.

Maybe adding an option to ipa-adduser would be an acceptable solution? This option would have the meaning "create a non-expired, valid password" as opposed to the default behavior of creating a user with an expired password (as is being done now).

Comment 3 Rob Crittenden 2009-04-30 14:46:44 UTC

The idea is that when the password gets reset only the end user holds it. We have no plans to change this.

You can set the krbPasswordExpiration attribute to some point in the future to unexpire the password set at creation time.

Comment 4 Stefan Freyr Stefansson 2009-04-30 15:11:56 UTC

ok... well we just created our own python script that does the same thing as ipa-passwd except that it accepts the password as a parameter... that solved this for us.

Note You need to log in before you can comment on or make changes to this bug.