[Freeipa-users] admin password is always expired
Roderick Johnstone
rmj at ast.cam.ac.uk
Mon Feb 9 22:35:05 UTC 2015
Hi
I seem to have locked myself out of my ipa admin account (on RHEL 6.6).
This is an evaluation instance so not too big a deal, but a good
learning experience. I suspect its some changes that I made to the
password policy that caused this.
The admin account has expired and I'm trying to reset the password like
this:
# kadmin.local
Authenticating as principal root/admin at REALM with password.
kadmin.local: change_password admin at REALM
Enter password for principal "admin at REALM":
Re-enter password for principal "admin at REALM":
Password for "admin at REALM" changed.
kadmin.local: q
where REALM is my realm.
Then when I try to authenticate as admin:
# kinit admin
Password for admin at REALM:
Password expired. You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials
and the password is not reset.
This is what the password policy looks like at the moment:
kadmin.local: get_policy global_policy
Policy: global_policy
Maximum password life: 864000000
Minimum password life: 0
Minimum password length: 8
Minimum number of password character classes: 0
Number of old keys kept: 0
Reference count: 0
Maximum password failures before lockout: 6
Password failure count reset interval: 0 days 00:01:00
Password lockout duration: 0 days 00:10:00
I'm trying to set this back to the defaults in the hope that this allows
me to reset the admin password properly, but I'm getting eg:
kadmin.local: modify_policy -maxlife "90 days" global_policy
modify_policy: Plugin does not support the operation while modifying
policy "global_policy".
Am I on the right track to fixing the admin password problem?
What am I doing wrong in trying to repair the password policy?
Actually when I do the following it looks strange that Policy is set to
none, but maybe this is a red herring:
kadmin.local: get_principal admin
Principal: admin at REALM
Expiration date: [never]
Last password change: Mon Feb 09 18:28:09 GMT 2015
Password expiration date: Tue May 22 11:59:53 GMT 1906
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind at REALM)
Last successful authentication: Mon Feb 09 18:27:00 GMT 2015
Last failed authentication: Mon Feb 09 18:25:24 GMT 2015
Failed password attempts: 0
Number of keys: 4
Key: vno 16, aes256-cts-hmac-sha1-96, Version 5
Key: vno 16, aes128-cts-hmac-sha1-96, Version 5
Key: vno 16, des3-cbc-sha1, Version 5
Key: vno 16, arcfour-hmac, Version 5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
Thanks for any help in diagnosing this issue or fixing it.
Roderick Johnstone
More information about the Freeipa-users
mailing list