[Freeipa-users] password expiration

Martin Kosek mkosek at redhat.com
Tue Jun 2 08:35:43 UTC 2015 

You would need to do the modifications as Directory Manager or other user in 
"admins"group.

To resolve this, you would need manually fix admin entry attribute 
krbPasswordExpiration to some future date, kinit as admin and then fixing the 
global policy with some sane value (pwpolicy-mod).

Martin

On 06/02/2015 10:30 AM, Sandor Juhasz wrote:
> It is confirmed, the password policy was changed with password expiration
> beyond 2038.
> Question is, how can we restore the pw policy without a working admin user?
>
> *Sándor Juhász*
> System Administrator
> *ChemAxon**Ltd*.
> Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
> Cell: +36704258964
>
> -------------------------------------------------------------------------------
> *From: *"Martin Kosek" <mkosek at redhat.com>
> *To: *"Tamas Papp" <tompos at martos.bme.hu>, freeipa-users at redhat.com
> *Sent: *Tuesday, June 2, 2015 9:54:43 AM
> *Subject: *Re: [Freeipa-users] password expiration
>
> On 06/01/2015 07:50 PM, Tamas Papp wrote:
>  > hi All,
>  >
>  > I'm stuck:
>  >
>  >
>  > $ kinit admin
>  > Password for admin at CXCLIENTS:
>  > kinit: Password incorrect while getting initial credentials
>  > [root at ipa-clients1 ~]$ kinit admin
>  > Password for admin at CXCLIENTS:
>  > Password expired.  You must change it now.
>  > Enter new password:
>  > Enter it again:
>  > kinit: Password has expired while getting initial credentials
>  >
>  >
>  >
>  >
>  > $ kinit admin
>  > Password for admin at CXCLIENTS:
>  > Password expired.  You must change it now.
>  > Enter new password:
>  > Enter it again:
>  > Password change rejected: Current password's minimum life has not expired
>  >
>  > Password not changed..  Please try again.
>  >
>  > Enter new password:
>  >
>  >
>  >
>  >
>  > What can I do now?
>  >
>  >
>  > Thanks,
>  > tamas
>  >
>
> Hi Tamas,
>
> What platform and FreeIPA version do you use? What actions did you do before
> this happened? Were you for example changing the (global) password policy?
> Setting a too high password life may case the Year 2038 problem and have
> password validity in the past.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list