[Freeipa-users] admin password is always expired

Roderick Johnstone rmj at ast.cam.ac.uk
Tue Feb 10 11:00:44 UTC 2015 

On 10/02/15 07:44, Dmitri Pal wrote:
> On 02/09/2015 05:35 PM, Roderick Johnstone wrote:
>> Hi
>>
>> I seem to have locked myself out of my ipa admin account (on RHEL
>> 6.6). This is an evaluation instance so not too big a deal, but a good
>> learning experience. I suspect its some changes that I made to the
>> password policy that caused this.
>>
>> The admin account has expired and I'm trying to reset the password
>> like this:
>>
>> # kadmin.local
>> Authenticating as principal root/admin at REALM with password.
>> kadmin.local:  change_password admin at REALM
>> Enter password for principal "admin at REALM":
>> Re-enter password for principal "admin at REALM":
>> Password for "admin at REALM" changed.
>> kadmin.local:  q
>>
>> where REALM is my realm.
>>
>> Then when I try to authenticate as admin:
>>
>> # kinit admin
>> Password for admin at REALM:
>> Password expired.  You must change it now.
>> Enter new password:
>> Enter it again:
>> kinit: Password has expired while getting initial credentials
>>
>> and the password is not reset.
>>
>> This is what the password policy looks like at the moment:
>>
>> kadmin.local:  get_policy global_policy
>> Policy: global_policy
>> Maximum password life: 864000000
>> Minimum password life: 0
>> Minimum password length: 8
>> Minimum number of password character classes: 0
>> Number of old keys kept: 0
>> Reference count: 0
>> Maximum password failures before lockout: 6
>> Password failure count reset interval: 0 days 00:01:00
>> Password lockout duration: 0 days 00:10:00
>>
>> I'm trying to set this back to the defaults in the hope that this
>> allows me to reset the admin password properly, but I'm getting eg:
>>
>> kadmin.local:  modify_policy -maxlife "90 days" global_policy
>> modify_policy: Plugin does not support the operation while modifying
>> policy "global_policy".
>>
>> Am I on the right track to fixing the admin password problem?
>>
>> What am I doing wrong in trying to repair the password policy?
>>
>> Actually when I do the following it looks strange that Policy is set
>> to none, but maybe this is a red herring:
>>
>> kadmin.local:  get_principal admin
>> Principal: admin at REALM
>> Expiration date: [never]
>> Last password change: Mon Feb 09 18:28:09 GMT 2015
>> Password expiration date: Tue May 22 11:59:53 GMT 1906
>> Maximum ticket life: 1 day 00:00:00
>> Maximum renewable life: 7 days 00:00:00
>> Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind at REALM)
>> Last successful authentication: Mon Feb 09 18:27:00 GMT 2015
>> Last failed authentication: Mon Feb 09 18:25:24 GMT 2015
>> Failed password attempts: 0
>> Number of keys: 4
>> Key: vno 16, aes256-cts-hmac-sha1-96, Version 5
>> Key: vno 16, aes128-cts-hmac-sha1-96, Version 5
>> Key: vno 16, des3-cbc-sha1, Version 5
>> Key: vno 16, arcfour-hmac, Version 5
>> MKey: vno 1
>> Attributes: REQUIRES_PRE_AUTH
>> Policy: [none]
>>
>>
>> Thanks for any help in diagnosing this issue or fixing it.
>>
>> Roderick Johnstone
>>


> Did you set password expiration for admin manually?


ok, as far as I remember, I originally changed the global_policy and 
then encountered the problem described above. ie I couldn't authenticate 
as admin using:
kinit admin

In trying to resolve this I found a thread that suggested to change the 
admin password with:
ldappasswd -x -D 'cn=directory manager' -W -S 
uid=admin,cn=users,cn=accounts,dc=xxx,dc=xxx

Maybe this was a bad move?

> The attribute shows that it is 1906. This makes me think that you set
> your expiration to a big number. However the value rolls over in 2038.
> So you need to make sure what you set translates to a date before 2038.

I suspect I did set the expiration to too big a number originally. After 
I was in the always expired loop I found a number of threads mentioning 
this wrap around issue and I have tried a number of things to fix it, so 
maybe I'm just making things worse.

>
> Why are you using kdamin.local?  With IPA it is not supported.

Out of ignorance I guess. I'm still finding my way into all this stuff!

What is the recommended way to reset an admin password in ipa when you 
can't authenticate as admin?

> There is a
> bunch of IPA commands that do the same.

But if kinit admin won't authenticate me, how can I use the IPA commands?

How can I now reset the expiration date for admin when I can't 
authenticate as admin?

Thanks.

Roderick


>

More information about the Freeipa-users mailing list