[Freeipa-users] password resets - errors

[Janelle]

On 9/28/15 6:10 AM, Rob Crittenden wrote:
> Janelle wrote:
>> Hello,
>>
>> I continue to see these a lot, but only on some servers. It causes a lot
>> of confusions with my users. There must be a way to troubleshoot this
>> and find the issue. Also, there is nothing wrong with the password
>> policies. They are all set to default, and this occurs even when a
>> user's password has expired.  The only thing I can say is it tends to
>> happen on more heavily loaded servers than lightly loaded ones. And
>> perhaps the most important point - the password *IS* changed successfully!
>>
>> Changing password for user expired-user.
>> Current Password:
>> New password:
>> Retype new password:
>> Password change failed. Server message: Current password's minimum life
>> has not expired
>>
>> Password not changed.
>> passwd: Authentication token manipulation error
>>
>> Thoughts? Anything?
>>
>> ~Janelle
>>
> What tool is changing the expired password?
>
> I'd be curious to see the password policy for the user, ipa
> pwpolicy-show --user=<user>
>
> Seeing the krbLastPwdChange
>   and krbPasswordExpiration might be handy too.
>
> rob
Hi,

I was hoping it would not go off on this tangent. All users have the 
default PW policy -- there are no differences and every single user has 
the same problem.

The tool is simple "passwd" or, in the case of some users who have 
actually hit the 90 expiry, nothing more than a simple login followed by 
the system saying your password has expired, please change it.

The krbLastPwdChange shows the exact day/time of the user changing their 
PW, in this case, when this error occurs. The expiration shows 90 days 
from that time. If you see the specifics I mentioned, even though the 
error is presented, the password is actually changed. Really confused 
with this one.

~J