Red Hat Bugzilla – Bug 498046
-p option for ipa-adduser doesn't work
Last modified: 2015-01-04 18:38:02 EST
Description of problem:
When adding a user with ipa-adduser and specifying a password with the -p (or --password=) option, the user gets created but the user cannot login using that password. Only after calling ipa-passwd for the created user can the user log in.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. create a user with "ipa-adduser -p testPwd testUser"
2. try to log the new user in using that password
Login should succeed.
Calling "ipa-passwd testUser" and setting the password there enables the user and after doing that he is able to log in. However, this doesn't work well for scripting since ipa-passwd doesn't support supplying the password as a parameter nor piping it into the application.
How are you logging into another server? If you are using ssh you need to be sure to enable ChallengeResponseAuthentication in /etc/ssh/sshd.conf.
$ ipa-adduser -p secretpw2 tuser
First name: Tim
Last name: User
tuser successfully added
$ kinit tuser
Password for tuser@TEST.COM:
Password expired. You must change it now.
Enter new password:
Enter it again:
$ klist -5
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: tuser@TEST.COM
Valid starting Expires Service principal
04/29/09 16:10:43 04/30/09 16:10:43 krbtgt/TEST.COM@TEST.COM
$ rpm -q ipa-server
Ahh... that's probably it.
We're not logging into a server... these users are just logging onto a wiki web that is using LDAP authentication against our IPA server.
So when the users are created, the passwords are created as expired... this actually makes sense for the most general application, when creating a user with a default password since it will force the user to change it at first logon.
However, in my case, the users don't have access to any servers and we haven't gotten around to setting up a webpage where they can set their own password.
Maybe adding an option to ipa-adduser would be an acceptable solution? This option would have the meaning "create a non-expired, valid password" as opposed to the default behavior of creating a user with an expired password (as is being done now).
The idea is that when the password gets reset only the end user holds it. We have no plans to change this.
You can set the krbPasswordExpiration attribute to some point in the future to unexpire the password set at creation time.
ok... well we just created our own python script that does the same thing as ipa-passwd except that it accepts the password as a parameter... that solved this for us.