Bug 96424

Summary: adcli attempting to modify userAccountControl during TGT update
Product: realmd Reporter: Luke Bigum <luke.bigum>
Component: adcliAssignee: Stef Walter <stefw>
Status: RESOLVED MOVED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Luke Bigum 2016-06-07 13:30:23 UTC
adcli appears to be trying to update the userAccountControl when doing a kerberos ticket renewal, or "adcli update". While it doesn't appear to cause anything to fail, I don't think it should be trying to do this.

[root@localhost ~]# adcli update -D example.com -N bigumlvm -S dc.example.com -v
...
 * Password not too old, no change needed
 * Modifying computer account: userAccountControl
 ! Couldn't set userAccountControl on computer account: CN=bigumlvm,CN=Computers,DC=example,DC=com: Insufficient access
 * Updated existing computer account: CN=bigumlvm,CN=Computers,DC=example,DC=com
Comment 1 Luke Bigum 2016-06-07 13:35:21 UTC
Oh, after reading the man page it may appear you want to write some extra attributes if specifying a credentials cache, but the man page does not mention what in the userAccountControl attribute you are trying to modify. I still don't think it's a good idea though - you could give the account an unlimited password expiry time by modifying userAccountControl.
Comment 2 GitLab Migration User 2018-10-12 21:18:42 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/realmd/adcli/issues/4.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.