That could explain why 9999 hasnt worked for my service accounts.

Is this fixed in 6.4?


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rob Crittenden [rcrit...@redhat.com]
Sent: Friday, 25 January 2013 11:03 a.m.
To: KodaK
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] non-expiring password policy (or as close as I can 

KodaK wrote:
> I have a need to have certain mission critical application accounts
> non-expiring (people don't log in directly, but if the accounts expire
> it could stop production jobs.)
> I've set "Max lifetime (days)" to 99999 in the web interface, but
> here's what I see when I do "ipa pwpolicy show":
>    Group: application-accounts
>    Max lifetime (days): 8639913600
>    Min lifetime (hours): 0
>    History size: 0
>    Character classes: 3
>    Min length: 8
>    Priority: 0
>    Max failures: 0
>    Failure reset interval: 0
>    Lockout duration: 0
> I have a user that is a member of the application-accounts group and
> they reset their password yesterday, but their password is set to
> expire in three months:
> krbpasswordexpiration: 20130423220808Z
> krbpwdpolicyreference: cn=application-accounts
> Have I hit some maximum and I'm confusing IPA?  Or do I completely
> misunderstand these entries?
> I also have a case open with RH on this, but I haven't heard anything
> back yet.  If I get this solved through them I'll be sure to reply
> with results.

It is a 32-bit time problem.

I'd set the maxlife no higher than 5000 for now.


Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to