>if you want that the password never expires for some users you should >created a password policy where the password never expires and assign >the policy to the users. Thank you, Sumit. As far as I understand, I need to tweak krbPasswordExpiration anyway if password was changed before password policy was applied.
>From another side, I have a weird issue with password policy: #ipa user-show serviceinvoker --all .... Member of groups: ...., services #ipa pwpolicy-show services Group: services But # ipa pwpolicy-show --user serviceinvoker Group: global_policy On Tue, Jul 2, 2013 at 4:07 PM, Sumit Bose <[email protected]> wrote: > On Tue, Jul 02, 2013 at 03:41:54PM +0300, Vitaly wrote: >> I already read >> https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread, >> but I am not sure I understand suggested solution. >> So my question - how I can change krbPasswordExpiration for certain account? >> >> ipa user-mod service --setattr=krbPasswordExpiration=20381231011529Z > > if you want that the password never expires for some users you should > created a password policy where the password never expires and assign > the policy to the users. > > See 'ipa help pwpolicy' for more details. > > HTH > > bye, > Sumit >> >> returns >> >> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the >> 'krbPasswordExpiration' attribute of entry >> 'uid=service,cn=users,cn=accounts,dc=example,dc=com'. >> >> TIA, >> Vitaly > >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
