[Freeipa-users] Having problem with pwd_expiration
Lukas Slebodnik
lslebodn at redhat.com
Thu Aug 13 09:43:10 UTC 2015
On (13/08/15 15:39), Dewangga Bachrul Alam wrote:
>Hello!
>
>I've been discovered something about pwd_expiration on freeipa 4.1.4,
>I got a line from sssd_DOMAIN.log :
>
>... snip ...
>(Thu Aug 13 12:25:39 2015) [sssd[be[mydomain.co.id]]]
>[confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
>... snip ...
>
>$ ipa pwpolicy-find
> Group: global_policy
> Max lifetime (days): 90
> Min lifetime (hours): 1
> History size: 0
> Character classes: 0
> Min length: 8
> Max failures: 6
> Failure reset interval: 60
> Lockout duration: 600
>
>The password policy should be available on next 90 days after I creating
>the password, isn't it? But I tried to login, the password was expired.
>
>$ sudo su -
>[sudo] password for subhan:
>Password expired. Change your password now.
>sudo: Account or password is expired, reset your password and try again
>Current Password:
>New password:
>Retype new password:
>sudo: pam_chauthtok: Authentication token manipulation error
>
>Every time I reset the password from ipa server, the password always
>expired before 90 days (based on global_policy).
>
If you reset password from web UI (or command line)
then the user need to change that password.
It's by design. The administrator should not know your password.
However,
situation is different if the password was changed with command line utility
"passwd".
LS
More information about the Freeipa-users
mailing list