From b7ae0783a736a0f31eb027e1c73ccf9ae9284311 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 14 Nov 2023 11:33:11 +0100
Subject: [PATCH] IPA: use earlier expiration time when creating new user

The old expiration time was further in future than what krb5 can handle.
krb5 treats timestamps as int32 and we exceeded it. Therefore, user
authentication yieled an error in SSSD krb5_child logs, even though
authentication was successful.
---
 sssd_test_framework/roles/ipa.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sssd_test_framework/roles/ipa.py b/sssd_test_framework/roles/ipa.py
index ccbe2f40..af7f85ea 100644
--- a/sssd_test_framework/roles/ipa.py
+++ b/sssd_test_framework/roles/ipa.py
@@ -410,7 +410,7 @@ def add(
         }
 
         if not require_password_reset:
-            attrs["password-expiration"] = (self.cli.option.VALUE, "20380805120000Z")
+            attrs["password-expiration"] = (self.cli.option.VALUE, "20380101120000Z")
 
         self._add(attrs, input=password)
         return self