<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>In 26 years, I guarantee this will be someone else's problem. </div><div><br><br><div>Bret Wortman</div><div><a href="http://bretwortman.com/">http://bretwortman.com/</a></div><div><a href="http://twitter.com/BretWortman">http://twitter.com/BretWortman</a></div></div><div><br>On Mar 6, 2014, at 8:25 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
On 03/06/2014 08:10 AM, Bret Wortman wrote:
<blockquote cite="mid:531873AF.2060803@damascusgrp.com" type="cite">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
Just found with some fresh Googling an email from Rob recommending
setting the max to 5000. I'll try that.<br>
</blockquote>
<br>
Just make sure it is not after 2038 because Kerberos uses 32 bit
time that rolls over in Feb of 2038.<br>
<br>
<blockquote cite="mid:531873AF.2060803@damascusgrp.com" type="cite">
<br>
<br>
<div class="moz-cite-prefix">On 03/06/2014 08:08 AM, Bret Wortman
wrote:<br>
</div>
<blockquote cite="mid:53187331.8010207@damascusgrp.com" type="cite">Is there a way to set a password to not expire? I
thought I read somewhere that 0 did that, but apparently not. <br>
<br>
On 03/06/2014 07:55 AM, Sumit Bose wrote: <br>
<blockquote type="cite">On Thu, Mar 06, 2014 at 07:39:15AM
-0500, Bret Wortman wrote: <br>
<blockquote type="cite">Strange behavior now with our
passwords (and we still haven't solved <br>
our problem with the "ipa" command, but at least with
script, we <br>
have a workaround): <br>
<br>
I noticed yesterday morning that my password, which has the
<br>
following policy, was going to expire in 3 days so I changed
it. <br>
<br>
Max lifetime (days) : 0 <br>
</blockquote>
I think the behaviour is expected with this maximal lifetime.
<br>
<br>
bye, <br>
Sumit <br>
<br>
<blockquote type="cite">Min lifetime (hours) : 0 <br>
History size (number of passwords): 0 <br>
Character classes: 2 <br>
Min length: 8 <br>
Max failures: 4 <br>
Failure reset interval (seconds): 60 <br>
Lockout duration (seconds): 60 <br>
<br>
The IPA web UI immediately began reporting in red that "Your
<br>
password expires in -1 days." <br>
<br>
This morning, I ran "kinit": <br>
<br>
$ kinit <br>
Password for <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:bretw@DAMASCUSGRP.COM">bretw@DAMASCUSGRP.COM</a>:
<br>
Password expired. You must change it now. <br>
Enter new password: <br>
Enter it again: <br>
Warning: Your password wille xpire in less than one hour on
Thu 06 <br>
Mar 2014 06:45:48 AM EST <br>
$ <br>
<br>
What's up? I'd like to solve this before it bites any of my
users, <br>
though most have a policy that looks more like this: <br>
<br>
Max lifetime (days) : 180 <br>
Min lifetime (hours) : 1 <br>
History size (number of passwords): 0 <br>
Character classes: 2 <br>
Min length: 8 <br>
Max failures: 6 <br>
Failure reset interval (seconds): 60 <br>
Lockout duration (seconds): 600 <br>
<br>
<br>
-- <br>
*Bret Wortman* <br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://damascusgrp.com/">http://damascusgrp.com/</a>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://about.me/wortmanbret">http://about.me/wortmanbret</a>
<br>
<br>
</blockquote>
<br>
<br>
<blockquote type="cite">_______________________________________________
<br>
Freeipa-users mailing list <br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
<br>
</blockquote>
_______________________________________________ <br>
Freeipa-users mailing list <br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
<br>
</blockquote>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Freeipa-users mailing list</span><br><span><a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a></span><br><span><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></span></div></blockquote></body></html>