[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] Wrong time / constantly expired passwords

Here are some examples:

[root mule ~]# ipa user-status freddie
Account disabled: False
  Server: mule.bulb
  Failed logins: 0
  Last successful authentication: 2015-10-28T09:03:48Z
  Last failed authentication: 2015-10-28T09:03:40Z
  Time now: 2015-10-28T18:05:51Z
Number of entries returned 1
[root mule ~]# ipa user-show freddie
  User login: freddie
  First name: fred
  Last name: orispaa
  Home directory: /home/freddie
  Login shell: /bin/sh
  UID: 50001
  GID: 50001
  Account disabled: False
  Password: True
  Member of groups: admins, ipausers
  Indirect Member of Sudo rule: allow_all
  Kerberos keys available: True
  SSH public key fingerprint: DA:54:C4:27:3A:23:00:AE:AE:60:B7:1B:E1:E4:03:C5
                              freddie mule (ssh-rsa)

With SSH:

[root mule ~]$ ssh freddie mule
freddie mule's password:
Password expired. Change your password now.
Last login: Wed Oct 28 10:03:44 2015 from
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user freddie.
Current Password:
New password:
Retype new password:
passwd: Authentication token is no longer valid; new one required
Connection to mule closed.

(Now if I login again, the same process repeats, except the password has indeed changes)

With su the output is less informative:
[jj mule ~]$ su - freddie
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
su: incorrect password

(the password was correct and it HAS changed even though the output implies I entered the wrong current password).

Doing kinit:

-sh-4.1$ id
uid=50001(freddie) gid=50001(freddie) groups=50001(freddie),50000(admins)
-sh-4.1$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)
-sh-4.1$ kinit
Password for freddie BULB:
Password expired.  You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials
-sh-4.1$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)

(again the password HAS changed)

In case it's of any relevance, note that root has no issue with kerberos credentials:
[root mule ~]# kinit admin
Password for admin BULB:
[root mule ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin BULB

Valid starting     Expires            Service principal
10/28/15 19:14:56  10/29/15 19:14:53  krbtgt/BULB BULB

On Wed, Oct 28, 2015 at 2:44 PM, Rob Crittenden <rcritten redhat com> wrote:
urgrue wrote:
> Didn't realize it was GMT, so OK that's not the issue. Any suggestions
> on how to debug it? Everything looks OK, but passwords are just
> perma-expired at all times.

Need more info on what you're seeing and how the passwords are being


> On Tue, Oct 27, 2015, 21:45 Rob Crittenden <rcritten redhat com
> <mailto:rcritten redhat com>> wrote:
>     urgrue wrote:
>     > Hi,
>     > On a new install, I'm being forced a password reset on every
>     login. Not
>     > sure why but this doesn't look right:
>     >
>     > # date
>     > Tue Oct 27 21:02:57 CET 2015
>     >
>     > # ipa user-status blah1
>     > <snip>
>     >   Last successful authentication: 2015-10-27T19:34:53Z
>     >   Last failed authentication: 2015-10-27T19:34:20Z
>     >   Time now: 2015-10-27T20:03:00Z
>     >
>     > Where is it getting this wrong time from?
>     What's wrong with the time? CET is one hour behind GMT right? That is
>     reflected by the difference between the output of date and "Time now".
>     Passwords administratively reset must be set by the user during the
>     first authentication. If the password needs further reset then yeah,
>     something is wrong, but the above looks ok.
>     rob

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]