[Freeipa-users] admin password is always expired

Roderick Johnstone rmj at ast.cam.ac.uk
Mon Feb 9 22:35:05 UTC 2015 

Hi

I seem to have locked myself out of my ipa admin account (on RHEL 6.6). 
This is an evaluation instance so not too big a deal, but a good 
learning experience. I suspect its some changes that I made to the 
password policy that caused this.

The admin account has expired and I'm trying to reset the password like 
this:

# kadmin.local
Authenticating as principal root/admin at REALM with password.
kadmin.local:  change_password admin at REALM
Enter password for principal "admin at REALM":
Re-enter password for principal "admin at REALM":
Password for "admin at REALM" changed.
kadmin.local:  q

where REALM is my realm.

Then when I try to authenticate as admin:

# kinit admin
Password for admin at REALM:
Password expired.  You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials

and the password is not reset.

This is what the password policy looks like at the moment:

kadmin.local:  get_policy global_policy
Policy: global_policy
Maximum password life: 864000000
Minimum password life: 0
Minimum password length: 8
Minimum number of password character classes: 0
Number of old keys kept: 0
Reference count: 0
Maximum password failures before lockout: 6
Password failure count reset interval: 0 days 00:01:00
Password lockout duration: 0 days 00:10:00

I'm trying to set this back to the defaults in the hope that this allows 
me to reset the admin password properly, but I'm getting eg:

kadmin.local:  modify_policy -maxlife "90 days" global_policy
modify_policy: Plugin does not support the operation while modifying 
policy "global_policy".

Am I on the right track to fixing the admin password problem?

What am I doing wrong in trying to repair the password policy?

Actually when I do the following it looks strange that Policy is set to 
none, but maybe this is a red herring:

kadmin.local:  get_principal admin
Principal: admin at REALM
Expiration date: [never]
Last password change: Mon Feb 09 18:28:09 GMT 2015
Password expiration date: Tue May 22 11:59:53 GMT 1906
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind at REALM)
Last successful authentication: Mon Feb 09 18:27:00 GMT 2015
Last failed authentication: Mon Feb 09 18:25:24 GMT 2015
Failed password attempts: 0
Number of keys: 4
Key: vno 16, aes256-cts-hmac-sha1-96, Version 5
Key: vno 16, aes128-cts-hmac-sha1-96, Version 5
Key: vno 16, des3-cbc-sha1, Version 5
Key: vno 16, arcfour-hmac, Version 5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]


Thanks for any help in diagnosing this issue or fixing it.

Roderick Johnstone

More information about the Freeipa-users mailing list