Stephen Berg (Contractor, Code 7320) via FreeIPA-users wrote: > On 11/06/2017 10:21 AM, Rob Crittenden wrote: >> Moving back to freeipa-users list. >> >> Stephen Berg (Contractor, Code 7320) wrote: >>> On 11/06/2017 09:37 AM, Rob Crittenden wrote: >>>> Stephen Berg (Contractor, Code 7320) via FreeIPA-users wrote: >>>>> On 11/06/2017 08:02 AM, Stephen Berg (Contractor, Code 7320) via >>>>> FreeIPA-users wrote: >>>>>> Had a few users get kicked off a console session while changing their >>>>>> password. Seems there's a rather short timeout for this. Is the >>>>>> timeout a configuration that can be adjusted somewhere in IPA or >>>>>> possibly pam.d? I've been looking for it but haven't come across >>>>>> anything that looks likely so far. >>>>>> >>>>> Forgot to mention... Systems are running SciLinux 7.3 or 7.4 same >>>>> as the >>>>> ipa servers. >>>>> >>>> Need more information. >>>> >>>> How are you changing the password? I'm assuming you mean logging into >>>> the console with an expired password but it isn't clear. >>>> >>>> What output are you getting? >>>> >>>> Was this configuring using ipa-client-install? >>>> >>>> >>>> >>>> rob >>>> >>> Switching to a console with Ctrl-Alt-F3, user with an expired password >>> logs in, gets told their password has expired and they need to change >>> it. The system asks for current password again, they type that, then >>> they type a new password twice to get it changed. The problem comes up >>> with a slow typist and partway through the process the console just >>> kicks them off and they're back at a login prompt. There's no error >>> message on the screen that I've been able to see, and I'm not seeing any >>> log entries to indicate a problem. >>> >> IIRC agetty handles console logins these days and I'm assuming that is >> invoked by systemd-getty-generator. I'm not sure what knobs are >> available to tune timeouts with these. >> >> rob >> > That may be it. Looks like agetty uses login, so that is configured by > /etc/login.defs and there is a timeout option for that. I'll have to > wait for the next slow typist with an expired password to get a real > test though. Thanks. > >
You can create a test user, set a password on it and try that. An administratively reset password always requires a new one. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org