[Freeipa-users] Having problem with pwd_expiration

Dewangga Bachrul Alam dewanggaba at xtremenitro.org
Thu Aug 13 10:47:38 UTC 2015 

Hello!

On 08/13/2015 04:43 PM, Lukas Slebodnik wrote:
> On (13/08/15 15:39), Dewangga Bachrul Alam wrote:
>> Hello!
>>
>> I've been discovered something about pwd_expiration on freeipa 4.1.4,
>> I got a line from sssd_DOMAIN.log :
>>
>> ... snip ...
>> (Thu Aug 13 12:25:39 2015) [sssd[be[mydomain.co.id]]]
>> [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
>> ... snip ...
>>
>> $ ipa pwpolicy-find
>>  Group: global_policy
>>  Max lifetime (days): 90
>>  Min lifetime (hours): 1
>>  History size: 0
>>  Character classes: 0
>>  Min length: 8
>>  Max failures: 6
>>  Failure reset interval: 60
>>  Lockout duration: 600
>>
>> The password policy should be available on next 90 days after I creating
>> the password, isn't it? But I tried to login, the password was expired.
>>
>> $ sudo su -
>> [sudo] password for subhan:
>> Password expired. Change your password now.
>> sudo: Account or password is expired, reset your password and try again
>> Current Password:
>> New password:
>> Retype new password:
>> sudo: pam_chauthtok: Authentication token manipulation error
>>
>> Every time I reset the password from ipa server, the password always
>> expired before 90 days (based on global_policy).
>>
> If you reset password from web UI (or command line)
> then the user need to change that password.
> It's by design. The administrator should not know your password.
> 

Yes, you're right, but the user complain that the password expired and
the user asking to change password, but it was error "Authentication
token manipulation error"

> However,
> situation is different if the password was changed with command line utility
> "passwd".
> 
> LS
> 

I've tried both of them (web ui & CLI), still no luck.
Screenshoot attached, the password expired not follow the global_policy.

I've create another new user, it was same with user `subhan`. The
password expired not follow global_policy.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: subhan.png
Type: image/png
Size: 156850 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150813/478de73b/attachment.png>

More information about the Freeipa-users mailing list