[Freeipa-users] password resets - errors
Rob Crittenden
rcritten at redhat.com
Mon Sep 28 17:56:06 UTC 2015
Janelle wrote:
> On 9/28/15 6:10 AM, Rob Crittenden wrote:
>> Janelle wrote:
>>> Hello,
>>>
>>> I continue to see these a lot, but only on some servers. It causes a lot
>>> of confusions with my users. There must be a way to troubleshoot this
>>> and find the issue. Also, there is nothing wrong with the password
>>> policies. They are all set to default, and this occurs even when a
>>> user's password has expired. The only thing I can say is it tends to
>>> happen on more heavily loaded servers than lightly loaded ones. And
>>> perhaps the most important point - the password *IS* changed
>>> successfully!
>>>
>>> Changing password for user expired-user.
>>> Current Password:
>>> New password:
>>> Retype new password:
>>> Password change failed. Server message: Current password's minimum life
>>> has not expired
>>>
>>> Password not changed.
>>> passwd: Authentication token manipulation error
>>>
>>> Thoughts? Anything?
>>>
>>> ~Janelle
>>>
>> What tool is changing the expired password?
>>
>> I'd be curious to see the password policy for the user, ipa
>> pwpolicy-show --user=<user>
>>
>> Seeing the krbLastPwdChange
>> and krbPasswordExpiration might be handy too.
>>
>> rob
> Hi,
>
> I was hoping it would not go off on this tangent. All users have the
> default PW policy -- there are no differences and every single user has
> the same problem.
Well, I don't see it as a tangent. If the min time is > max time, I
don't know how the backend handles that off the top of my head.
Something thinks the password isn't old enough yet and that is a
calculated value.
> The tool is simple "passwd" or, in the case of some users who have
> actually hit the 90 expiry, nothing more than a simple login followed by
> the system saying your password has expired, please change it.
>
> The krbLastPwdChange shows the exact day/time of the user changing their
> PW, in this case, when this error occurs. The expiration shows 90 days
> from that time. If you see the specifics I mentioned, even though the
> error is presented, the password is actually changed. Really confused
> with this one.
And that's why I wanted to see the policy. Too young is defined as
cur_time < last password change + min password life. Who knows, maybe it
is a units issue.
In both the KDC and LDAP code this appears to be a show-stopping error
which is why trying to duplicate it using your values would be useful.
Knowing the version of IPA would help too.
rob
More information about the Freeipa-users
mailing list