Hi, That could explain why 9999 hasnt worked for my service accounts.
Is this fixed in 6.4? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 25 January 2013 11:03 a.m. To: KodaK Cc: email@example.com Subject: Re: [Freeipa-users] non-expiring password policy (or as close as I can come) KodaK wrote: > I have a need to have certain mission critical application accounts > non-expiring (people don't log in directly, but if the accounts expire > it could stop production jobs.) > > I've set "Max lifetime (days)" to 99999 in the web interface, but > here's what I see when I do "ipa pwpolicy show": > > Group: application-accounts > Max lifetime (days): 8639913600 > Min lifetime (hours): 0 > History size: 0 > Character classes: 3 > Min length: 8 > Priority: 0 > Max failures: 0 > Failure reset interval: 0 > Lockout duration: 0 > > I have a user that is a member of the application-accounts group and > they reset their password yesterday, but their password is set to > expire in three months: > > krbpasswordexpiration: 20130423220808Z > krbpwdpolicyreference: cn=application-accounts > > Have I hit some maximum and I'm confusing IPA? Or do I completely > misunderstand these entries? > > I also have a case open with RH on this, but I haven't heard anything > back yet. If I get this solved through them I'll be sure to reply > with results. It is a 32-bit time problem. I'd set the maxlife no higher than 5000 for now. rob _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users