[Freeipa-users] Having problem with pwd_expiration

Dewangga Bachrul Alam dewanggaba at xtremenitro.org
Thu Aug 13 08:39:20 UTC 2015 

Hello!

I've been discovered something about pwd_expiration on freeipa 4.1.4,
I got a line from sssd_DOMAIN.log :

... snip ...
(Thu Aug 13 12:25:39 2015) [sssd[be[mydomain.co.id]]]
[confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
... snip ...

$ ipa pwpolicy-find
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

The password policy should be available on next 90 days after I creating
the password, isn't it? But I tried to login, the password was expired.

$ sudo su -
[sudo] password for subhan:
Password expired. Change your password now.
sudo: Account or password is expired, reset your password and try again
Current Password:
New password:
Retype new password:
sudo: pam_chauthtok: Authentication token manipulation error

Every time I reset the password from ipa server, the password always
expired before 90 days (based on global_policy).

Got this from /var/log/secure (on ipa client):

Aug 13 15:23:59 rosaliaindah sudo: pam_sss(sudo:auth): received for user
subhan: 12 (Authentication token is no longer valid; new one required)
Aug 13 15:24:01 rosaliaindah sudo: pam_sss(sudo:account): User info
message: Password expired. Change your password now.
Aug 13 15:24:01 rosaliaindah sudo: subhan : Account or password is
expired, reset your password and try again ; TTY=pts/2 ;
PWD=/home/subhan ; USER=root ; COMMAND=/bin/su -
Aug 13 15:24:01 rosaliaindah sudo: pam_unix(sudo:chauthtok): user
"subhan" does not exist in /etc/passwd
Aug 13 15:24:09 rosaliaindah sudo: pam_unix(sudo:chauthtok): user
"subhan" does not exist in /etc/passwd
Aug 13 15:24:10 rosaliaindah sudo: pam_sss(sudo:chauthtok): Password
change failed for user subhan: 22 (Authentication token lock busy)
Aug 13 15:24:10 rosaliaindah sudo: subhan : pam_chauthtok:
Authentication token manipulation error ; TTY=pts/2 ; PWD=/home/subhan ;
USER=root ; COMMAND=/bin/su -
Aug 13 15:24:11 rosaliaindah sudo: pam_unix(sudo:auth): conversation failed
Aug 13 15:24:11 rosaliaindah sudo: pam_unix(sudo:auth): auth could not
identify password for [subhan]

Got clue form
http://www.redhat.com/archives/freeipa-users/2015-January/msg00183.html,
but still no luck.
I add krb5_auth_timeout = 30s to sssd.conf.

Note: krb5_child.log shows nothing.

More information about the Freeipa-users mailing list