[Freeipa-users] admin password is always expired
Roderick Johnstone
rmj at ast.cam.ac.uk
Tue Feb 10 11:00:44 UTC 2015
On 10/02/15 07:44, Dmitri Pal wrote:
> On 02/09/2015 05:35 PM, Roderick Johnstone wrote:
>> Hi
>>
>> I seem to have locked myself out of my ipa admin account (on RHEL
>> 6.6). This is an evaluation instance so not too big a deal, but a good
>> learning experience. I suspect its some changes that I made to the
>> password policy that caused this.
>>
>> The admin account has expired and I'm trying to reset the password
>> like this:
>>
>> # kadmin.local
>> Authenticating as principal root/admin at REALM with password.
>> kadmin.local: change_password admin at REALM
>> Enter password for principal "admin at REALM":
>> Re-enter password for principal "admin at REALM":
>> Password for "admin at REALM" changed.
>> kadmin.local: q
>>
>> where REALM is my realm.
>>
>> Then when I try to authenticate as admin:
>>
>> # kinit admin
>> Password for admin at REALM:
>> Password expired. You must change it now.
>> Enter new password:
>> Enter it again:
>> kinit: Password has expired while getting initial credentials
>>
>> and the password is not reset.
>>
>> This is what the password policy looks like at the moment:
>>
>> kadmin.local: get_policy global_policy
>> Policy: global_policy
>> Maximum password life: 864000000
>> Minimum password life: 0
>> Minimum password length: 8
>> Minimum number of password character classes: 0
>> Number of old keys kept: 0
>> Reference count: 0
>> Maximum password failures before lockout: 6
>> Password failure count reset interval: 0 days 00:01:00
>> Password lockout duration: 0 days 00:10:00
>>
>> I'm trying to set this back to the defaults in the hope that this
>> allows me to reset the admin password properly, but I'm getting eg:
>>
>> kadmin.local: modify_policy -maxlife "90 days" global_policy
>> modify_policy: Plugin does not support the operation while modifying
>> policy "global_policy".
>>
>> Am I on the right track to fixing the admin password problem?
>>
>> What am I doing wrong in trying to repair the password policy?
>>
>> Actually when I do the following it looks strange that Policy is set
>> to none, but maybe this is a red herring:
>>
>> kadmin.local: get_principal admin
>> Principal: admin at REALM
>> Expiration date: [never]
>> Last password change: Mon Feb 09 18:28:09 GMT 2015
>> Password expiration date: Tue May 22 11:59:53 GMT 1906
>> Maximum ticket life: 1 day 00:00:00
>> Maximum renewable life: 7 days 00:00:00
>> Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind at REALM)
>> Last successful authentication: Mon Feb 09 18:27:00 GMT 2015
>> Last failed authentication: Mon Feb 09 18:25:24 GMT 2015
>> Failed password attempts: 0
>> Number of keys: 4
>> Key: vno 16, aes256-cts-hmac-sha1-96, Version 5
>> Key: vno 16, aes128-cts-hmac-sha1-96, Version 5
>> Key: vno 16, des3-cbc-sha1, Version 5
>> Key: vno 16, arcfour-hmac, Version 5
>> MKey: vno 1
>> Attributes: REQUIRES_PRE_AUTH
>> Policy: [none]
>>
>>
>> Thanks for any help in diagnosing this issue or fixing it.
>>
>> Roderick Johnstone
>>
> Did you set password expiration for admin manually?
ok, as far as I remember, I originally changed the global_policy and
then encountered the problem described above. ie I couldn't authenticate
as admin using:
kinit admin
In trying to resolve this I found a thread that suggested to change the
admin password with:
ldappasswd -x -D 'cn=directory manager' -W -S
uid=admin,cn=users,cn=accounts,dc=xxx,dc=xxx
Maybe this was a bad move?
> The attribute shows that it is 1906. This makes me think that you set
> your expiration to a big number. However the value rolls over in 2038.
> So you need to make sure what you set translates to a date before 2038.
I suspect I did set the expiration to too big a number originally. After
I was in the always expired loop I found a number of threads mentioning
this wrap around issue and I have tried a number of things to fix it, so
maybe I'm just making things worse.
>
> Why are you using kdamin.local? With IPA it is not supported.
Out of ignorance I guess. I'm still finding my way into all this stuff!
What is the recommended way to reset an admin password in ipa when you
can't authenticate as admin?
> There is a
> bunch of IPA commands that do the same.
But if kinit admin won't authenticate me, how can I use the IPA commands?
How can I now reset the expiration date for admin when I can't
authenticate as admin?
Thanks.
Roderick
>
More information about the Freeipa-users
mailing list