[Freeipa-devel] Password expired on new user
Simo Sorce
ssorce at redhat.com
Mon Dec 3 13:15:26 UTC 2007
On Mon, 2007-12-03 at 16:45 +1000, David O'Brien wrote:
> Simo Sorce wrote:
> > Pam_krb5 should ask you to change password.
> > If not we need to investigate why.
> >
> > Simo.
> >
> > On Mon, 2007-12-03 at 10:57 +1000, David O'Brien wrote:
> >> Simo Sorce wrote:
> >>> On Fri, 2007-11-30 at 15:54 +1000, David O'Brien wrote:
> >>>> I just created a new user but as soon as I did and the interface
> >>>> returned to the View User page, it said "Password has expired". I
> >>>> thought I saw a comment from Suzanne? about this but now I can't find it.
> >>>>
> >>>> Why would this happen?
> >>> Because when admins change password users are required to reset them to
> >>> a value unknown to the admin immediately.
> >>> This is by design. And it is meant as a way to safely distribute new
> >>> accounts as well do password resets without letting anybody else but the
> >>> user know the final password.
> >>> Unfortunately at this moment I don't have a way to provide a better
> >>> message like: "the password was reset you have to change it". But that
> >>> is the idea.
> >>>
> >>> Simo.
> >>>
> >> Yes, that part of it makes sense and is to be expected. The immediate
> >> "password is expired" (effectively blocking out the user) was the real
> >> eyebrow-raiser. I'll test again on a later build today and see what
> >> happens, but as it stands I can't log in as anyone except admin using
> >> this password policy.
> >>
>
> I did this on the command line, just for a change.
>
> 1. added a new user jpark with password jpark1234
> 2. ipa-finduser jpark
> Common Name: Jainey Park
> Home Directory: /home/jpark
> Login Shell: /bin/sh
> Login: jpark
>
> 3. kinit jpark
> kinit(v5): Password has expired while getting initial credentials
>
> that's it. Drops me back to a prompt. I couldn't find anything useful in
> /var/log/{messages,ipa_error,krb5kdc}.log
You have for sure stuff in krb5kdc.log
Anyway in this case you should just do a kpasswd jpark and change
password.
I'd like to see you do a login on a client though, not a kinit
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
More information about the Freeipa-devel
mailing list