[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] Wrong time / constantly expired passwords



urgrue wrote:
> Here are some examples:
> 
> [root mule ~]# ipa user-status freddie
> -----------------------
> Account disabled: False
> -----------------------
>   Server: mule.bulb
>   Failed logins: 0
>   Last successful authentication: 2015-10-28T09:03:48Z
>   Last failed authentication: 2015-10-28T09:03:40Z
>   Time now: 2015-10-28T18:05:51Z
> ----------------------------
> Number of entries returned 1
> ----------------------------
> [root mule ~]# ipa user-show freddie
>   User login: freddie
>   First name: fred
>   Last name: orispaa
>   Home directory: /home/freddie
>   Login shell: /bin/sh
>   UID: 50001
>   GID: 50001
>   Account disabled: False
>   Password: True
>   Member of groups: admins, ipausers
>   Indirect Member of Sudo rule: allow_all
>   Kerberos keys available: True
>   SSH public key fingerprint:
> DA:54:C4:27:3A:23:00:AE:AE:60:B7:1B:E1:E4:03:C5
>                               freddie mule (ssh-rsa)
> 
> With SSH:
> 
> [root mule ~]$ ssh freddie mule
> freddie mule's password:
> Password expired. Change your password now.
> Last login: Wed Oct 28 10:03:44 2015 from 127.0.0.1
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user freddie.
> Current Password:
> New password:
> Retype new password:
> passwd: Authentication token is no longer valid; new one required
> Connection to mule closed.
> 
> (Now if I login again, the same process repeats, except the password has
> indeed changes)
> 
> With su the output is less informative:
> [jj mule ~]$ su - freddie
> Password:
> Password expired. Change your password now.
> Current Password:
> New password:
> Retype new password:
> su: incorrect password
> 
> (the password was correct and it HAS changed even though the output
> implies I entered the wrong current password).
> 
> Doing kinit:
> 
> -sh-4.1$ id
> uid=50001(freddie) gid=50001(freddie) groups=50001(freddie),50000(admins)
> -sh-4.1$ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)
> -sh-4.1$ kinit
> Password for freddie BULB:
> Password expired.  You must change it now.
> Enter new password:
> Enter it again:
> kinit: Password has expired while getting initial credentials
> -sh-4.1$ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)
> 
> (again the password HAS changed)
> 
> In case it's of any relevance, note that root has no issue with kerberos
> credentials:
> [root mule ~]# kinit admin
> Password for admin BULB:
> [root mule ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin BULB
> 
> Valid starting     Expires            Service principal
> 10/28/15 19:14:56  10/29/15 19:14:53  krbtgt/BULB BULB

I don't see this as root vs other users, you are using a different
principal.

This makes me wonder if the password policy is strange.

You might also want to kinit as freddie and go through the password
reset again, then search LDAP for freddie's password expiration:

$ ldapsearch -Y GSSAPI -s base -b
uid=freddie,cn=users,cn=accounts,dc=example,dc=com krbPasswordExpiration

And check out freddie's password policy:

$ ipa pwpolicy-show --user freddie

rob

> 
> 
> 
> On Wed, Oct 28, 2015 at 2:44 PM, Rob Crittenden <rcritten redhat com
> <mailto:rcritten redhat com>> wrote:
> 
>     urgrue wrote:
>     > Didn't realize it was GMT, so OK that's not the issue. Any suggestions
>     > on how to debug it? Everything looks OK, but passwords are just
>     > perma-expired at all times.
> 
>     Need more info on what you're seeing and how the passwords are being
>     changed.
> 
>     rob
> 
>     >
>     >
>     > On Tue, Oct 27, 2015, 21:45 Rob Crittenden <rcritten redhat com <mailto:rcritten redhat com>
>     > <mailto:rcritten redhat com <mailto:rcritten redhat com>>> wrote:
>     >
>     >     urgrue wrote:
>     >     > Hi,
>     >     > On a new install, I'm being forced a password reset on every
>     >     login. Not
>     >     > sure why but this doesn't look right:
>     >     >
>     >     > # date
>     >     > Tue Oct 27 21:02:57 CET 2015
>     >     >
>     >     > # ipa user-status blah1
>     >     > <snip>
>     >     >   Last successful authentication: 2015-10-27T19:34:53Z
>     >     >   Last failed authentication: 2015-10-27T19:34:20Z
>     >     >   Time now: 2015-10-27T20:03:00Z
>     >     >
>     >     > Where is it getting this wrong time from?
>     >
>     >     What's wrong with the time? CET is one hour behind GMT right?
>     That is
>     >     reflected by the difference between the output of date and
>     "Time now".
>     >
>     >     Passwords administratively reset must be set by the user
>     during the
>     >     first authentication. If the password needs further reset then
>     yeah,
>     >     something is wrong, but the above looks ok.
>     >
>     >     rob
>     >
> 
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]