[Freeipa-users] admin password is always expired

Tue Feb 10 14:36:37 UTC 2015

Roderick Johnstone wrote:
> On 10/02/15 07:44, Dmitri Pal wrote:
>> On 02/09/2015 05:35 PM, Roderick Johnstone wrote:
>>> Hi
>>>
>>> I seem to have locked myself out of my ipa admin account (on RHEL
>>> 6.6). This is an evaluation instance so not too big a deal, but a good
>>> learning experience. I suspect its some changes that I made to the
>>> password policy that caused this.
>>>
>>> The admin account has expired and I'm trying to reset the password
>>> like this:
>>>
>>> # kadmin.local
>>> Authenticating as principal root/admin at REALM with password.
>>> kadmin.local:  change_password admin at REALM
>>> Enter password for principal "admin at REALM":
>>> Re-enter password for principal "admin at REALM":
>>> Password for "admin at REALM" changed.
>>> kadmin.local:  q
>>>
>>> where REALM is my realm.
>>>
>>> Then when I try to authenticate as admin:
>>>
>>> # kinit admin
>>> Password for admin at REALM:
>>> Password expired.  You must change it now.
>>> Enter new password:
>>> Enter it again:
>>> kinit: Password has expired while getting initial credentials
>>>
>>> and the password is not reset.
>>>
>>> This is what the password policy looks like at the moment:
>>>
>>> kadmin.local:  get_policy global_policy
>>> Policy: global_policy
>>> Maximum password life: 864000000
>>> Minimum password life: 0
>>> Minimum password length: 8
>>> Minimum number of password character classes: 0
>>> Number of old keys kept: 0
>>> Reference count: 0
>>> Maximum password failures before lockout: 6
>>> Password failure count reset interval: 0 days 00:01:00
>>> Password lockout duration: 0 days 00:10:00
>>>
>>> I'm trying to set this back to the defaults in the hope that this
>>> allows me to reset the admin password properly, but I'm getting eg:
>>>
>>> kadmin.local:  modify_policy -maxlife "90 days" global_policy
>>> modify_policy: Plugin does not support the operation while modifying
>>> policy "global_policy".
>>>
>>> Am I on the right track to fixing the admin password problem?
>>>
>>> What am I doing wrong in trying to repair the password policy?
>>>
>>> Actually when I do the following it looks strange that Policy is set
>>> to none, but maybe this is a red herring:
>>>
>>> kadmin.local:  get_principal admin
>>> Principal: admin at REALM
>>> Expiration date: [never]
>>> Last password change: Mon Feb 09 18:28:09 GMT 2015
>>> Password expiration date: Tue May 22 11:59:53 GMT 1906
>>> Maximum ticket life: 1 day 00:00:00
>>> Maximum renewable life: 7 days 00:00:00
>>> Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind at REALM)
>>> Last successful authentication: Mon Feb 09 18:27:00 GMT 2015
>>> Last failed authentication: Mon Feb 09 18:25:24 GMT 2015
>>> Failed password attempts: 0
>>> Number of keys: 4
>>> Key: vno 16, aes256-cts-hmac-sha1-96, Version 5
>>> Key: vno 16, aes128-cts-hmac-sha1-96, Version 5
>>> Key: vno 16, des3-cbc-sha1, Version 5
>>> Key: vno 16, arcfour-hmac, Version 5
>>> MKey: vno 1
>>> Attributes: REQUIRES_PRE_AUTH
>>> Policy: [none]
>>>
>>>
>>> Thanks for any help in diagnosing this issue or fixing it.
>>>
>>> Roderick Johnstone
>>>
> 
> 
>> Did you set password expiration for admin manually?
> 
> 
> ok, as far as I remember, I originally changed the global_policy and
> then encountered the problem described above. ie I couldn't authenticate
> as admin using:
> kinit admin
> 
> In trying to resolve this I found a thread that suggested to change the
> admin password with:
> ldappasswd -x -D 'cn=directory manager' -W -S
> uid=admin,cn=users,cn=accounts,dc=xxx,dc=xxx
> 
> Maybe this was a bad move?
> 
>> The attribute shows that it is 1906. This makes me think that you set
>> your expiration to a big number. However the value rolls over in 2038.
>> So you need to make sure what you set translates to a date before 2038.
> 
> I suspect I did set the expiration to too big a number originally. After
> I was in the always expired loop I found a number of threads mentioning
> this wrap around issue and I have tried a number of things to fix it, so
> maybe I'm just making things worse.
> 
>>
>> Why are you using kdamin.local?  With IPA it is not supported.
> 
> Out of ignorance I guess. I'm still finding my way into all this stuff!
> 
> What is the recommended way to reset an admin password in ipa when you
> can't authenticate as admin?
> 
>> There is a
>> bunch of IPA commands that do the same.
> 
> But if kinit admin won't authenticate me, how can I use the IPA commands?
> 
> How can I now reset the expiration date for admin when I can't
> authenticate as admin?
>

The easiest path forward is to bind as Directory Manager and change the
password expiration date for the admin user. Then you can use that user
to more easily modify the password policy.

You want to change krbPasswordExpiration.

rob