[Freeipa-users] admin password is always expired

Tue Feb 10 07:44:26 UTC 2015

On 02/09/2015 05:35 PM, Roderick Johnstone wrote:
> Hi
>
> I seem to have locked myself out of my ipa admin account (on RHEL 
> 6.6). This is an evaluation instance so not too big a deal, but a good 
> learning experience. I suspect its some changes that I made to the 
> password policy that caused this.
>
> The admin account has expired and I'm trying to reset the password 
> like this:
>
> # kadmin.local
> Authenticating as principal root/admin at REALM with password.
> kadmin.local:  change_password admin at REALM
> Enter password for principal "admin at REALM":
> Re-enter password for principal "admin at REALM":
> Password for "admin at REALM" changed.
> kadmin.local:  q
>
> where REALM is my realm.
>
> Then when I try to authenticate as admin:
>
> # kinit admin
> Password for admin at REALM:
> Password expired.  You must change it now.
> Enter new password:
> Enter it again:
> kinit: Password has expired while getting initial credentials
>
> and the password is not reset.
>
> This is what the password policy looks like at the moment:
>
> kadmin.local:  get_policy global_policy
> Policy: global_policy
> Maximum password life: 864000000
> Minimum password life: 0
> Minimum password length: 8
> Minimum number of password character classes: 0
> Number of old keys kept: 0
> Reference count: 0
> Maximum password failures before lockout: 6
> Password failure count reset interval: 0 days 00:01:00
> Password lockout duration: 0 days 00:10:00
>
> I'm trying to set this back to the defaults in the hope that this 
> allows me to reset the admin password properly, but I'm getting eg:
>
> kadmin.local:  modify_policy -maxlife "90 days" global_policy
> modify_policy: Plugin does not support the operation while modifying 
> policy "global_policy".
>
> Am I on the right track to fixing the admin password problem?
>
> What am I doing wrong in trying to repair the password policy?
>
> Actually when I do the following it looks strange that Policy is set 
> to none, but maybe this is a red herring:
>
> kadmin.local:  get_principal admin
> Principal: admin at REALM
> Expiration date: [never]
> Last password change: Mon Feb 09 18:28:09 GMT 2015
> Password expiration date: Tue May 22 11:59:53 GMT 1906
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind at REALM)
> Last successful authentication: Mon Feb 09 18:27:00 GMT 2015
> Last failed authentication: Mon Feb 09 18:25:24 GMT 2015
> Failed password attempts: 0
> Number of keys: 4
> Key: vno 16, aes256-cts-hmac-sha1-96, Version 5
> Key: vno 16, aes128-cts-hmac-sha1-96, Version 5
> Key: vno 16, des3-cbc-sha1, Version 5
> Key: vno 16, arcfour-hmac, Version 5
> MKey: vno 1
> Attributes: REQUIRES_PRE_AUTH
> Policy: [none]
>
>
> Thanks for any help in diagnosing this issue or fixing it.
>
> Roderick Johnstone
>
Did you set password expiration for admin manually?
The attribute shows that it is 1906. This makes me think that you set 
your expiration to a big number. However the value rolls over in 2038. 
So you need to make sure what you set translates to a date before 2038.

Why are you using kdamin.local? With IPA it is not supported. There is a 
bunch of IPA commands that do the same.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.