Hello everyone.

The problem was that the user was disabled.

Indeed, when you disable a user with ipa user-disable, you can still ipa passwd this user, but the kpasswd will always fail with the error message "Clients credentials have been revoked getting initial ticket".

If you enable the user, you can reinit the password of the user.

Hope this will help someone else !

Best regards.

Lune

Le jeu. 12 déc. 2019 à 08:54, lune voo <lune.voo1234@gmail.com> a écrit :

Hello everyone.

I contact you because I have a problem when I reinitialize some passwords for other users.

I created a login in IPA and I added this login into the admins group.
Then I was able to perform some password changes for other accounts, using :
1. ipa passwd to set a one time password
2. kpasswd to set a "permanent" password (respecting the password policy)
3. And then I send the password to the end user

Then I tried on another account.
- The ipa passwd works well.
- But when I tried the kpasswd, I get the following error message :
"kpasswd: Clients credentials have been revoked getting initial ticket"

I retried multiple times, but I always got the same error message.

I thought it was because the account was locked. So I checked with ipa status and the account is not locked.

What does this error message mean please ?
-> When it says the "client", does it mean the other account I am trying to kpasswd ?
-> When it says that the credentials have been revoked, what does it mean ?
-> What is this initial ticket it is mentioning ?

Thank you in advance !

Best regards.

Lune