[Freeipa-users] admin password is always expired

Tue Feb 10 11:55:39 UTC 2015

On 02/10/2015 12:00 PM, Roderick Johnstone wrote:
> On 10/02/15 07:44, Dmitri Pal wrote:
>> On 02/09/2015 05:35 PM, Roderick Johnstone wrote:
>>> Hi
>>>
>>> I seem to have locked myself out of my ipa admin account (on RHEL
>>> 6.6). This is an evaluation instance so not too big a deal, but a good
>>> learning experience. I suspect its some changes that I made to the
>>> password policy that caused this.
>>>
>>> The admin account has expired and I'm trying to reset the password
>>> like this:
>>>
>>> # kadmin.local
>>> Authenticating as principal root/admin at REALM with password.
>>> kadmin.local:  change_password admin at REALM
>>> Enter password for principal "admin at REALM":
>>> Re-enter password for principal "admin at REALM":
>>> Password for "admin at REALM" changed.
>>> kadmin.local:  q
>>>
>>> where REALM is my realm.
>>>
>>> Then when I try to authenticate as admin:
>>>
>>> # kinit admin
>>> Password for admin at REALM:
>>> Password expired.  You must change it now.
>>> Enter new password:
>>> Enter it again:
>>> kinit: Password has expired while getting initial credentials
>>>
>>> and the password is not reset.
>>>
>>> This is what the password policy looks like at the moment:
>>>
>>> kadmin.local:  get_policy global_policy
>>> Policy: global_policy
>>> Maximum password life: 864000000
>>> Minimum password life: 0
>>> Minimum password length: 8
>>> Minimum number of password character classes: 0
>>> Number of old keys kept: 0
>>> Reference count: 0
>>> Maximum password failures before lockout: 6
>>> Password failure count reset interval: 0 days 00:01:00
>>> Password lockout duration: 0 days 00:10:00
>>>
>>> I'm trying to set this back to the defaults in the hope that this
>>> allows me to reset the admin password properly, but I'm getting eg:
>>>
>>> kadmin.local:  modify_policy -maxlife "90 days" global_policy
>>> modify_policy: Plugin does not support the operation while modifying
>>> policy "global_policy".
>>>
>>> Am I on the right track to fixing the admin password problem?
>>>
>>> What am I doing wrong in trying to repair the password policy?
>>>
>>> Actually when I do the following it looks strange that Policy is set
>>> to none, but maybe this is a red herring:
>>>
>>> kadmin.local:  get_principal admin
>>> Principal: admin at REALM
>>> Expiration date: [never]
>>> Last password change: Mon Feb 09 18:28:09 GMT 2015
>>> Password expiration date: Tue May 22 11:59:53 GMT 1906
>>> Maximum ticket life: 1 day 00:00:00
>>> Maximum renewable life: 7 days 00:00:00
>>> Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind at REALM)
>>> Last successful authentication: Mon Feb 09 18:27:00 GMT 2015
>>> Last failed authentication: Mon Feb 09 18:25:24 GMT 2015
>>> Failed password attempts: 0
>>> Number of keys: 4
>>> Key: vno 16, aes256-cts-hmac-sha1-96, Version 5
>>> Key: vno 16, aes128-cts-hmac-sha1-96, Version 5
>>> Key: vno 16, des3-cbc-sha1, Version 5
>>> Key: vno 16, arcfour-hmac, Version 5
>>> MKey: vno 1
>>> Attributes: REQUIRES_PRE_AUTH
>>> Policy: [none]
>>>
>>>
>>> Thanks for any help in diagnosing this issue or fixing it.
>>>
>>> Roderick Johnstone
>>>
>
>
>> Did you set password expiration for admin manually?
>
>
> ok, as far as I remember, I originally changed the global_policy and
> then encountered the problem described above. ie I couldn't authenticate
> as admin using:
> kinit admin
>
> In trying to resolve this I found a thread that suggested to change the
> admin password with:
> ldappasswd -x -D 'cn=directory manager' -W -S
> uid=admin,cn=users,cn=accounts,dc=xxx,dc=xxx
>
> Maybe this was a bad move?
>
>> The attribute shows that it is 1906. This makes me think that you set
>> your expiration to a big number. However the value rolls over in 2038.
>> So you need to make sure what you set translates to a date before 2038.
>
> I suspect I did set the expiration to too big a number originally. After
> I was in the always expired loop I found a number of threads mentioning
> this wrap around issue and I have tried a number of things to fix it, so
> maybe I'm just making things worse.
>
>>
>> Why are you using kdamin.local?  With IPA it is not supported.
>
> Out of ignorance I guess. I'm still finding my way into all this stuff!
>
> What is the recommended way to reset an admin password in ipa when you
> can't authenticate as admin?
>
>> There is a
>> bunch of IPA commands that do the same.
>
> But if kinit admin won't authenticate me, how can I use the IPA commands?
>
> How can I now reset the expiration date for admin when I can't
> authenticate as admin?
>
> Thanks.
>
> Roderick
>

Resetting the password using ldappasswd won't help if the culprit is 
global or other IPA password policy. You can change the policy in LDAP 
as Directory Manager. It's located in:

cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com

then you can try to kinit and set the new password.
-- 
Petr Vobornik