[Freeipa-users] Wrong time / constantly expired passwords

urgrue urgrue at gmail.com
Wed Oct 28 18:15:29 UTC 2015 

Here are some examples:

[root at mule ~]# ipa user-status freddie
-----------------------
Account disabled: False
-----------------------
  Server: mule.bulb
  Failed logins: 0
  Last successful authentication: 2015-10-28T09:03:48Z
  Last failed authentication: 2015-10-28T09:03:40Z
  Time now: 2015-10-28T18:05:51Z
----------------------------
Number of entries returned 1
----------------------------
[root at mule ~]# ipa user-show freddie
  User login: freddie
  First name: fred
  Last name: orispaa
  Home directory: /home/freddie
  Login shell: /bin/sh
  UID: 50001
  GID: 50001
  Account disabled: False
  Password: True
  Member of groups: admins, ipausers
  Indirect Member of Sudo rule: allow_all
  Kerberos keys available: True
  SSH public key fingerprint:
DA:54:C4:27:3A:23:00:AE:AE:60:B7:1B:E1:E4:03:C5
                              freddie at mule (ssh-rsa)

With SSH:

[root at mule ~]$ ssh freddie at mule
freddie at mule's password:
Password expired. Change your password now.
Last login: Wed Oct 28 10:03:44 2015 from 127.0.0.1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user freddie.
Current Password:
New password:
Retype new password:
passwd: Authentication token is no longer valid; new one required
Connection to mule closed.

(Now if I login again, the same process repeats, except the password has
indeed changes)

With su the output is less informative:
[jj at mule ~]$ su - freddie
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
su: incorrect password

(the password was correct and it HAS changed even though the output implies
I entered the wrong current password).

Doing kinit:

-sh-4.1$ id
uid=50001(freddie) gid=50001(freddie) groups=50001(freddie),50000(admins)
-sh-4.1$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)
-sh-4.1$ kinit
Password for freddie at BULB:
Password expired.  You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials
-sh-4.1$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)

(again the password HAS changed)

In case it's of any relevance, note that root has no issue with kerberos
credentials:
[root at mule ~]# kinit admin
Password for admin at BULB:
[root at mule ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at BULB

Valid starting     Expires            Service principal
10/28/15 19:14:56  10/29/15 19:14:53  krbtgt/BULB at BULB



On Wed, Oct 28, 2015 at 2:44 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> urgrue wrote:
> > Didn't realize it was GMT, so OK that's not the issue. Any suggestions
> > on how to debug it? Everything looks OK, but passwords are just
> > perma-expired at all times.
>
> Need more info on what you're seeing and how the passwords are being
> changed.
>
> rob
>
> >
> >
> > On Tue, Oct 27, 2015, 21:45 Rob Crittenden <rcritten at redhat.com
> > <mailto:rcritten at redhat.com>> wrote:
> >
> >     urgrue wrote:
> >     > Hi,
> >     > On a new install, I'm being forced a password reset on every
> >     login. Not
> >     > sure why but this doesn't look right:
> >     >
> >     > # date
> >     > Tue Oct 27 21:02:57 CET 2015
> >     >
> >     > # ipa user-status blah1
> >     > <snip>
> >     >   Last successful authentication: 2015-10-27T19:34:53Z
> >     >   Last failed authentication: 2015-10-27T19:34:20Z
> >     >   Time now: 2015-10-27T20:03:00Z
> >     >
> >     > Where is it getting this wrong time from?
> >
> >     What's wrong with the time? CET is one hour behind GMT right? That is
> >     reflected by the difference between the output of date and "Time
> now".
> >
> >     Passwords administratively reset must be set by the user during the
> >     first authentication. If the password needs further reset then yeah,
> >     something is wrong, but the above looks ok.
> >
> >     rob
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151028/83f3f133/attachment.htm>

More information about the Freeipa-users mailing list