[Freeipa-devel] Password expired on new user

David O'Brien david.obrien at redhat.com
Mon Dec 3 14:45:28 UTC 2007 

Simo Sorce wrote:
> On Mon, 2007-12-03 at 16:45 +1000, David O'Brien wrote:
>> Simo Sorce wrote:
>>> Pam_krb5 should ask you to change password.
>>> If not we need to investigate why.
>>>
>>> Simo.
>>>
>>> On Mon, 2007-12-03 at 10:57 +1000, David O'Brien wrote:
>>>> Simo Sorce wrote:
>>>>> On Fri, 2007-11-30 at 15:54 +1000, David O'Brien wrote:
>>>>>> I just created a new user but as soon as I did and the interface
>>>>>> returned to the View User page, it said "Password has expired". I
>>>>>> thought I saw a comment from Suzanne? about this but now I can't find it.
>>>>>>
>>>>>> Why would this happen?
>>>>> Because when admins change password users are required to reset them to
>>>>> a value unknown to the admin immediately.
>>>>> This is by design. And it is meant as a way to safely distribute new
>>>>> accounts as well do password resets without letting anybody else but the
>>>>> user know the final password.
>>>>> Unfortunately at this moment I don't have a way to provide a better
>>>>> message like: "the password was reset you have to change it". But that
>>>>> is the idea.
>>>>>
>>>>> Simo.
>>>>>
>>>> Yes, that part of it makes sense and is to be expected. The immediate
>>>> "password is expired" (effectively blocking out the user) was the real
>>>> eyebrow-raiser. I'll test again on a later build today and see what
>>>> happens, but as it stands I can't log in as anyone except admin using
>>>> this password policy.
>>>>
>> I did this on the command line, just for a change.
>>
>> 1. added a new user jpark with password jpark1234
>> 2. ipa-finduser jpark
>> Common Name: Jainey Park
>> Home Directory: /home/jpark
>> Login Shell: /bin/sh
>> Login: jpark
>>
>> 3. kinit jpark
>> kinit(v5): Password has expired while getting initial credentials
>>
>> that's it. Drops me back to a prompt. I couldn't find anything useful in
>> /var/log/{messages,ipa_error,krb5kdc}.log
> 
> You have for sure stuff in krb5kdc.log

Well yeah, lots, but I couldn't find anything related to jpark, password
expiration, etc.
> 
> Anyway in this case you should just do a kpasswd jpark and change
> password.

Yep, did that and can login ok. Didn't notice this before, but if you
add a user via the cli it doesn't demand an email address, and this
leads to errors later.

> I'd like to see you do a login on a client though, not a kinit
> 
Not sure what you mean. You mean install the client and just navigate
straight to the server without running kinit?  I expect this is to see
if it prompts for a username/password. I haven't installed a client yet.
I'll do that tomorrow.

cheers
-- 

David O'Brien <mailto:daobrien at redhat.com>
RHCT
PGP-KeyID: 0x443CBA7B


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071204/708c3bce/attachment.sig>

More information about the Freeipa-devel mailing list