RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 887988 - [RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA CLI / WEBUI
Summary: [RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA CLI ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
: 888240 (view as bug list)
Depends On:
Blocks: 1094433 1113520
TreeView+ depends on / blocked
 
Reported: 2012-12-17 18:41 UTC by Sigbjorn Lie
Modified: 2019-05-20 11:03 UTC (History)
10 users (show)

Fixed In Version: ipa-4.0.3-1.el7
Doc Type: Enhancement
Doc Text:
Clone Of:
: 1094433 (view as bug list)
Environment:
Last Closed: 2015-03-05 10:08:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 0 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 14:50:39 UTC

Description Sigbjorn Lie 2012-12-17 18:41:34 UTC 
Description of problem:
RFE: Expose the krbPrincipalExpiration attribute for editing in the IPA CLI / WEBUI to allow a user account to expire at a certain date.
Comment 3 Martin Kosek 2012-12-18 09:28:21 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3306
Comment 4 Martin Kosek 2012-12-18 15:01:15 UTC 
*** Bug 888240 has been marked as a duplicate of this bug. ***
Comment 6 Martin Kosek 2013-10-07 13:35:10 UTC 
~~ Current DEV status ~~

This RFEc consists of 2 parts:

https://fedorahosted.org/freeipa/ticket/3305: KrbPrincipalExpiration should be checked in pre-bind op
https://fedorahosted.org/freeipa/ticket/3306: [RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA CLI / WEBUI

We have patch for the first part, it is being reviewed for FreeIPA 3.4. Second ticket should be also pretty easily solvable, mostly standard CLI/UI wiring.
Comment 8 Sigbjorn Lie 2013-12-20 07:34:28 UTC 
Any update with regards to this request?
Comment 9 Martin Kosek 2014-01-02 12:24:00 UTC 
Hello Signbjorn, this RFE is being solved upstream, in currently developed FreeIPA version 3.4 which is planned to be released in Q1 2014. The RFE is preliminary planned for RHEL-7.1.

If backport to earlier RHEL version is requested, please contact the Customer Service.
Comment 12 Deepak Das 2014-01-24 08:24:37 UTC 
Hi Martin,

Please check response in comment #11 for the requested information.
Comment 13 Martin Kosek 2014-01-30 13:55:15 UTC 
Deepak, as the development team focused on development and testing of the upcoming RHEL-7.0 release, the development of the upstream feature is not complete yet. It is in development, but not finished.

I am confident it will be part of RHEL-7.1 release. As for RHEL-6.6, we need to check with QE first so that they can evaluate, if they will be able to test it.
Comment 15 Martin Kosek 2014-05-12 06:29:11 UTC 
Fixed upstream in master branch:

LDAP bind fix:
5d78cdf80951748f5f954a69c41a2a2cb1b84812 ipa-pwd-extop: Deny LDAP binds for accounts with expired principals
004071a24626195994265b1bcc3ac616bb09d795 ipatests: Add test for denying expired principals

CLI/UI enhancement:
edb5a0c5344de88cc41f6f73098da88d754cf076 ipalib: Expose krbPrincipalExpiration in CLI
4568a52953bc8e0193d586ebc3d8bdbd3e3e0fa0 ipatests: Fix formatting errors in test_user_plugin.py
473a9fd23800b46b4608465ae47da523e8a2861f ipatests: Add coverage for setting krbPrincipalExpiration
Comment 16 Petr Vobornik 2014-06-16 13:50:10 UTC 
Web UI enhancement:
4de9c5fc51c1e9a07a23b430ba531eb096960732 webui: expose krbprincipalexpiration
Comment 18 Namita Soman 2015-01-26 22:03:33 UTC 
Verified using ipa-server-4.1.0-16.el7.x86_64

 
# ipa user-add --first=two --last=two two --password
Password: 
Enter Password again to verify: 
----------------
Added user "two"
----------------
  User login: two
  First name: two
  Last name: two
  Full name: two two
  Display name: two two
  Initials: tt
  Home directory: /home/two
  GECOS: two two
  Login shell: /bin/sh
  Kerberos principal: two
  Email address: two
  UID: 547200003
  GID: 547200003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

# kinit two
Password for two: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

# ipa user-mod two --principal-expiration="2015-01-27 00:00:00Z"
-------------------
Modified user "two"
-------------------
  User login: two
  First name: two
  Last name: two
  Home directory: /home/two
  Login shell: /bin/sh
  Kerberos principal expiration: 20150127000000Z
  Email address: two
  UID: 547200003
  GID: 547200003
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True


# date
Mon Jan 26 16:55:01 EST 2015


# date +%D -s 2015-01-28
01/28/15
# date
Wed Jan 28 00:00:05 EST 2015

# kinit two
kinit: Client's entry in database has expired while getting initial credentials

Verified the same from UI also.
Comment 20 errata-xmlrpc 2015-03-05 10:08:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html
Comment 21 Varun Mylaraiah 2015-06-09 07:37:15 UTC 
After user account has expired at a certain date, Error message that appears in CLI is   "kinit: Client's entry in database has expired while getting initial credentials"
But, the Error message in UI is:  "The password or username you entered is incorrect". Shouldn't both CLI and UI have the same error message?
Comment 22 Petr Vobornik 2015-06-19 11:14:22 UTC 
ipa/session/login_password doesn't recognize the "kinit: Client's entry in database has expired while getting initial credentials" erorr and think that it's general invalid password error. This is then send to Web UI which displays invalid message.

ipa/session/login_password should be fixed to recognize this error and then send html header in response with appropriate error
Note You need to log in before you can comment on or make changes to this bug.