Description of problem: When adding a user with ipa-adduser and specifying a password with the -p (or --password=) option, the user gets created but the user cannot login using that password. Only after calling ipa-passwd for the created user can the user log in. Version-Release number of selected component (if applicable): 1.2.1 How reproducible: Always Steps to Reproduce: 1. create a user with "ipa-adduser -p testPwd testUser" 2. try to log the new user in using that password Actual results: Login fails. Expected results: Login should succeed. Additional info: Calling "ipa-passwd testUser" and setting the password there enables the user and after doing that he is able to log in. However, this doesn't work well for scripting since ipa-passwd doesn't support supplying the password as a parameter nor piping it into the application.
How are you logging into another server? If you are using ssh you need to be sure to enable ChallengeResponseAuthentication in /etc/ssh/sshd.conf. $ ipa-adduser -p secretpw2 tuser First name: Tim Last name: User tuser successfully added $ kinit tuser Password for tuser: Password expired. You must change it now. Enter new password: Enter it again: $ klist -5 Ticket cache: FILE:/tmp/krb5cc_500 Default principal: tuser Valid starting Expires Service principal 04/29/09 16:10:43 04/30/09 16:10:43 krbtgt/TEST.COM $ rpm -q ipa-server ipa-server-1.2.1-1.fc9.i386
Ahh... that's probably it. We're not logging into a server... these users are just logging onto a wiki web that is using LDAP authentication against our IPA server. So when the users are created, the passwords are created as expired... this actually makes sense for the most general application, when creating a user with a default password since it will force the user to change it at first logon. However, in my case, the users don't have access to any servers and we haven't gotten around to setting up a webpage where they can set their own password. Maybe adding an option to ipa-adduser would be an acceptable solution? This option would have the meaning "create a non-expired, valid password" as opposed to the default behavior of creating a user with an expired password (as is being done now).
The idea is that when the password gets reset only the end user holds it. We have no plans to change this. You can set the krbPasswordExpiration attribute to some point in the future to unexpire the password set at creation time.
ok... well we just created our own python script that does the same thing as ipa-passwd except that it accepts the password as a parameter... that solved this for us.