# ipa user-show --all serviceinvoker |grep krbpwdpolicyreference krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
On Tue, Jul 2, 2013 at 4:32 PM, Rob Crittenden <[email protected]> wrote: > Vitaly wrote: >>> >>> if you want that the password never expires for some users you should >>> created a password policy where the password never expires and assign >>> the policy to the users. >> >> Thank you, Sumit. >> As far as I understand, I need to tweak krbPasswordExpiration anyway >> if password was changed before password policy was applied. >> >>> From another side, I have a weird issue with password policy: >> >> >> #ipa user-show serviceinvoker --all >> .... >> Member of groups: ...., services >> >> #ipa pwpolicy-show services >> Group: services >> >> But >> # ipa pwpolicy-show --user serviceinvoker >> Group: global_policy > > > Curious. We'd need to see more details of the password policy, priority for > example. > > Does this show the right policy? > > ipa user-show --all serviceinvoker |grep krbpwdpolicyreference > > >> >> On Tue, Jul 2, 2013 at 4:07 PM, Sumit Bose <[email protected]> wrote: >>> >>> On Tue, Jul 02, 2013 at 03:41:54PM +0300, Vitaly wrote: >>>> >>>> I already read >>>> >>>> https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread, >>>> but I am not sure I understand suggested solution. >>>> So my question - how I can change krbPasswordExpiration for certain >>>> account? >>>> >>>> ipa user-mod service --setattr=krbPasswordExpiration=20381231011529Z >>> >>> >>> if you want that the password never expires for some users you should >>> created a password policy where the password never expires and assign >>> the policy to the users. >>> >>> See 'ipa help pwpolicy' for more details. >>> >>> HTH >>> >>> bye, >>> Sumit >>>> >>>> >>>> returns >>>> >>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the >>>> 'krbPasswordExpiration' attribute of entry >>>> 'uid=service,cn=users,cn=accounts,dc=example,dc=com'. >>>> >>>> TIA, >>>> Vitaly >>> >>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> [email protected] >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
