[Freeipa-users] password resets - errors

Janelle janellenicole80 at gmail.com
Tue Sep 29 13:28:18 UTC 2015 

On 9/28/15 11:33 AM, Rob Crittenden wrote:
> Simo Sorce wrote:
>> On 27/09/15 09:21, Janelle wrote:
>>> Hello,
>>>
>>> I continue to see these a lot, but only on some servers. It causes a lot
>>> of confusions with my users. There must be a way to troubleshoot this
>>> and find the issue. Also, there is nothing wrong with the password
>>> policies. They are all set to default, and this occurs even when a
>>> user's password has expired.  The only thing I can say is it tends to
>>> happen on more heavily loaded servers than lightly loaded ones. And
>>> perhaps the most important point - the password *IS* changed
>>> successfully!
>>>
>>> Changing password for user expired-user.
>>> Current Password:
>>> New password:
>>> Retype new password:
>>> Password change failed. Server message: Current password's minimum life
>>> has not expired
>>>
>>> Password not changed.
>>> passwd: Authentication token manipulation error
>>>
>>> Thoughts? Anything?
>> This may be due to an implementation issue in the client.
>> libkrb5 tends to wait only 1 second for an operation to succeed/fail and
>> will send a new (identical) message if it gets back no answer, this is
>> due to the fact historically KRB5 has used UDP in preference which
>> doesn't guarantee message delivery, so the only option is to retry.
>>
>> However if the first message actually went through and the only problem
>> is that the server was busy and slower a second message will be received
>> and processed just the same, only to find out the password has just been
>> changed and can't be changed again, hence the error message.
>>
>> I guess one way to handle this would be to disable clients from using
>> UDP completely, although I am not 100% certain this will avoid the
>> problem, IIRC at least in some versions the client library would retry
>> after 1 second even on TCP.
>>
>> Simo.
>>
>>
> udp_preference_limit 0 was added to /etc/krb5.conf in 4.2 to prefer TCP
> for the initial request anyway. According to the man page it will always
> fall back to UDP upon failure.
>
> rob
>
This value appears to be set in 4.1.x as well, at least it is on my 
configurations.

Policy is set:
  Group: global_policy
   Max lifetime (days): 90
   Min lifetime (hours): 1

and this is true for ALL users.

I will try disabling UDP completely.
~J

More information about the Freeipa-users mailing list