[Freeipa-users] Wrong time / constantly expired passwords
urgrue
urgrue at gmail.com
Wed Oct 28 18:15:29 UTC 2015
Here are some examples:
[root at mule ~]# ipa user-status freddie
-----------------------
Account disabled: False
-----------------------
Server: mule.bulb
Failed logins: 0
Last successful authentication: 2015-10-28T09:03:48Z
Last failed authentication: 2015-10-28T09:03:40Z
Time now: 2015-10-28T18:05:51Z
----------------------------
Number of entries returned 1
----------------------------
[root at mule ~]# ipa user-show freddie
User login: freddie
First name: fred
Last name: orispaa
Home directory: /home/freddie
Login shell: /bin/sh
UID: 50001
GID: 50001
Account disabled: False
Password: True
Member of groups: admins, ipausers
Indirect Member of Sudo rule: allow_all
Kerberos keys available: True
SSH public key fingerprint:
DA:54:C4:27:3A:23:00:AE:AE:60:B7:1B:E1:E4:03:C5
freddie at mule (ssh-rsa)
With SSH:
[root at mule ~]$ ssh freddie at mule
freddie at mule's password:
Password expired. Change your password now.
Last login: Wed Oct 28 10:03:44 2015 from 127.0.0.1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user freddie.
Current Password:
New password:
Retype new password:
passwd: Authentication token is no longer valid; new one required
Connection to mule closed.
(Now if I login again, the same process repeats, except the password has
indeed changes)
With su the output is less informative:
[jj at mule ~]$ su - freddie
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
su: incorrect password
(the password was correct and it HAS changed even though the output implies
I entered the wrong current password).
Doing kinit:
-sh-4.1$ id
uid=50001(freddie) gid=50001(freddie) groups=50001(freddie),50000(admins)
-sh-4.1$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)
-sh-4.1$ kinit
Password for freddie at BULB:
Password expired. You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials
-sh-4.1$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)
(again the password HAS changed)
In case it's of any relevance, note that root has no issue with kerberos
credentials:
[root at mule ~]# kinit admin
Password for admin at BULB:
[root at mule ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at BULB
Valid starting Expires Service principal
10/28/15 19:14:56 10/29/15 19:14:53 krbtgt/BULB at BULB
On Wed, Oct 28, 2015 at 2:44 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> urgrue wrote:
> > Didn't realize it was GMT, so OK that's not the issue. Any suggestions
> > on how to debug it? Everything looks OK, but passwords are just
> > perma-expired at all times.
>
> Need more info on what you're seeing and how the passwords are being
> changed.
>
> rob
>
> >
> >
> > On Tue, Oct 27, 2015, 21:45 Rob Crittenden <rcritten at redhat.com
> > <mailto:rcritten at redhat.com>> wrote:
> >
> > urgrue wrote:
> > > Hi,
> > > On a new install, I'm being forced a password reset on every
> > login. Not
> > > sure why but this doesn't look right:
> > >
> > > # date
> > > Tue Oct 27 21:02:57 CET 2015
> > >
> > > # ipa user-status blah1
> > > <snip>
> > > Last successful authentication: 2015-10-27T19:34:53Z
> > > Last failed authentication: 2015-10-27T19:34:20Z
> > > Time now: 2015-10-27T20:03:00Z
> > >
> > > Where is it getting this wrong time from?
> >
> > What's wrong with the time? CET is one hour behind GMT right? That is
> > reflected by the difference between the output of date and "Time
> now".
> >
> > Passwords administratively reset must be set by the user during the
> > first authentication. If the password needs further reset then yeah,
> > something is wrong, but the above looks ok.
> >
> > rob
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151028/83f3f133/attachment.htm>
More information about the Freeipa-users
mailing list