[Freeipa-users] admin password is always expired
Roderick Johnstone
rmj at ast.cam.ac.uk
Tue Feb 10 17:35:39 UTC 2015
On 10/02/2015 14:36, Rob Crittenden wrote:
> Roderick Johnstone wrote:
>> On 10/02/15 07:44, Dmitri Pal wrote:
>>> On 02/09/2015 05:35 PM, Roderick Johnstone wrote:
>>>> Hi
>>>>
>>>> I seem to have locked myself out of my ipa admin account (on RHEL
>>>> 6.6). This is an evaluation instance so not too big a deal, but a good
>>>> learning experience. I suspect its some changes that I made to the
>>>> password policy that caused this.
>>>>
>>>> The admin account has expired and I'm trying to reset the password
>>>> like this:
>>>>
>>>> # kadmin.local
>>>> Authenticating as principal root/admin at REALM with password.
>>>> kadmin.local: change_password admin at REALM
>>>> Enter password for principal "admin at REALM":
>>>> Re-enter password for principal "admin at REALM":
>>>> Password for "admin at REALM" changed.
>>>> kadmin.local: q
>>>>
>>>> where REALM is my realm.
>>>>
>>>> Then when I try to authenticate as admin:
>>>>
>>>> # kinit admin
>>>> Password for admin at REALM:
>>>> Password expired. You must change it now.
>>>> Enter new password:
>>>> Enter it again:
>>>> kinit: Password has expired while getting initial credentials
>>>>
>>>> and the password is not reset.
>>>>
>>>> This is what the password policy looks like at the moment:
>>>>
>>>> kadmin.local: get_policy global_policy
>>>> Policy: global_policy
>>>> Maximum password life: 864000000
>>>> Minimum password life: 0
>>>> Minimum password length: 8
>>>> Minimum number of password character classes: 0
>>>> Number of old keys kept: 0
>>>> Reference count: 0
>>>> Maximum password failures before lockout: 6
>>>> Password failure count reset interval: 0 days 00:01:00
>>>> Password lockout duration: 0 days 00:10:00
>>>>
>>>> I'm trying to set this back to the defaults in the hope that this
>>>> allows me to reset the admin password properly, but I'm getting eg:
>>>>
>>>> kadmin.local: modify_policy -maxlife "90 days" global_policy
>>>> modify_policy: Plugin does not support the operation while modifying
>>>> policy "global_policy".
>>>>
>>>> Am I on the right track to fixing the admin password problem?
>>>>
>>>> What am I doing wrong in trying to repair the password policy?
>>>>
>>>> Actually when I do the following it looks strange that Policy is set
>>>> to none, but maybe this is a red herring:
>>>>
>>>> kadmin.local: get_principal admin
>>>> Principal: admin at REALM
>>>> Expiration date: [never]
>>>> Last password change: Mon Feb 09 18:28:09 GMT 2015
>>>> Password expiration date: Tue May 22 11:59:53 GMT 1906
>>>> Maximum ticket life: 1 day 00:00:00
>>>> Maximum renewable life: 7 days 00:00:00
>>>> Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind at REALM)
>>>> Last successful authentication: Mon Feb 09 18:27:00 GMT 2015
>>>> Last failed authentication: Mon Feb 09 18:25:24 GMT 2015
>>>> Failed password attempts: 0
>>>> Number of keys: 4
>>>> Key: vno 16, aes256-cts-hmac-sha1-96, Version 5
>>>> Key: vno 16, aes128-cts-hmac-sha1-96, Version 5
>>>> Key: vno 16, des3-cbc-sha1, Version 5
>>>> Key: vno 16, arcfour-hmac, Version 5
>>>> MKey: vno 1
>>>> Attributes: REQUIRES_PRE_AUTH
>>>> Policy: [none]
>>>>
>>>>
>>>> Thanks for any help in diagnosing this issue or fixing it.
>>>>
>>>> Roderick Johnstone
>>>>
>>
>>
>>> Did you set password expiration for admin manually?
>>
>>
>> ok, as far as I remember, I originally changed the global_policy and
>> then encountered the problem described above. ie I couldn't authenticate
>> as admin using:
>> kinit admin
>>
>> In trying to resolve this I found a thread that suggested to change the
>> admin password with:
>> ldappasswd -x -D 'cn=directory manager' -W -S
>> uid=admin,cn=users,cn=accounts,dc=xxx,dc=xxx
>>
>> Maybe this was a bad move?
>>
>>> The attribute shows that it is 1906. This makes me think that you set
>>> your expiration to a big number. However the value rolls over in 2038.
>>> So you need to make sure what you set translates to a date before 2038.
>>
>> I suspect I did set the expiration to too big a number originally. After
>> I was in the always expired loop I found a number of threads mentioning
>> this wrap around issue and I have tried a number of things to fix it, so
>> maybe I'm just making things worse.
>>
>>>
>>> Why are you using kdamin.local? With IPA it is not supported.
>>
>> Out of ignorance I guess. I'm still finding my way into all this stuff!
>>
>> What is the recommended way to reset an admin password in ipa when you
>> can't authenticate as admin?
>>
>>> There is a
>>> bunch of IPA commands that do the same.
>>
>> But if kinit admin won't authenticate me, how can I use the IPA commands?
>>
>> How can I now reset the expiration date for admin when I can't
>> authenticate as admin?
>>
>
> The easiest path forward is to bind as Directory Manager and change the
> password expiration date for the admin user. Then you can use that user
> to more easily modify the password policy.
>
> You want to change krbPasswordExpiration.
>
> rob
>
Rob
Thanks for your reply. Your email came while I was working on this. I
seem to have achieved the same result by doing:
# ldapmodify -h localhost -x -W -D "cn=directory manager" -f krb.ldif
where I used:
# ldapsearch -x -b "dc=xxx,dc=xxx"
to find the entry for
dn: cn=global_policy,cn=XXX.XXX,cn=kerberos,dc=xxx,dc=xxx
I then made krb.ldif that contains:
dn: cn=global_policy,cn=XXX.XXX,cn=kerberos,dc=xxx,dc=xxx
changetype: modify
replace: krbMaxPwdLife
krbMaxPwdLife: 864000
Then I was able to reset the password with kadmin.local as before.
I see that your solution is much more direct. I'm still learning about
all this.
Thanks again.
Roderick
More information about the Freeipa-users
mailing list