[Freeipa-users] Having problem with pwd_expiration
Dewangga Bachrul Alam
dewanggaba at xtremenitro.org
Thu Aug 13 08:39:20 UTC 2015
Hello!
I've been discovered something about pwd_expiration on freeipa 4.1.4,
I got a line from sssd_DOMAIN.log :
... snip ...
(Thu Aug 13 12:25:39 2015) [sssd[be[mydomain.co.id]]]
[confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
... snip ...
$ ipa pwpolicy-find
Group: global_policy
Max lifetime (days): 90
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
The password policy should be available on next 90 days after I creating
the password, isn't it? But I tried to login, the password was expired.
$ sudo su -
[sudo] password for subhan:
Password expired. Change your password now.
sudo: Account or password is expired, reset your password and try again
Current Password:
New password:
Retype new password:
sudo: pam_chauthtok: Authentication token manipulation error
Every time I reset the password from ipa server, the password always
expired before 90 days (based on global_policy).
Got this from /var/log/secure (on ipa client):
Aug 13 15:23:59 rosaliaindah sudo: pam_sss(sudo:auth): received for user
subhan: 12 (Authentication token is no longer valid; new one required)
Aug 13 15:24:01 rosaliaindah sudo: pam_sss(sudo:account): User info
message: Password expired. Change your password now.
Aug 13 15:24:01 rosaliaindah sudo: subhan : Account or password is
expired, reset your password and try again ; TTY=pts/2 ;
PWD=/home/subhan ; USER=root ; COMMAND=/bin/su -
Aug 13 15:24:01 rosaliaindah sudo: pam_unix(sudo:chauthtok): user
"subhan" does not exist in /etc/passwd
Aug 13 15:24:09 rosaliaindah sudo: pam_unix(sudo:chauthtok): user
"subhan" does not exist in /etc/passwd
Aug 13 15:24:10 rosaliaindah sudo: pam_sss(sudo:chauthtok): Password
change failed for user subhan: 22 (Authentication token lock busy)
Aug 13 15:24:10 rosaliaindah sudo: subhan : pam_chauthtok:
Authentication token manipulation error ; TTY=pts/2 ; PWD=/home/subhan ;
USER=root ; COMMAND=/bin/su -
Aug 13 15:24:11 rosaliaindah sudo: pam_unix(sudo:auth): conversation failed
Aug 13 15:24:11 rosaliaindah sudo: pam_unix(sudo:auth): auth could not
identify password for [subhan]
Got clue form
http://www.redhat.com/archives/freeipa-users/2015-January/msg00183.html,
but still no luck.
I add krb5_auth_timeout = 30s to sssd.conf.
Note: krb5_child.log shows nothing.
More information about the Freeipa-users
mailing list