Brian Smith wrote:
Thanks for your response, and sorry for my late response. I'm on RHEL6,
using the packages from the distribution
repository, ipa-server-2.2.0-17.el6_3.1.x86_64
My pwpolicy is set as such (in testing):
$ ipa pwpolicy-show --all
dn: cn=global_policy,cn=rc.usf.edu
<http://rc.usf.edu>,cn=kerberos,dc=rc,dc=usf,dc=edu
Group: global_policy
Max lifetime (days): 365
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 10
Failure reset interval: 60
Lockout duration: 600
objectclass: top, nsContainer, krbPwdPolicy
If I create an account and set the password using the following JSON
string, against $server/ipa/json, say today,
{
"method":"user_add",
"params":[ [],
{
"uid":"it-rc-test-faculty",
"homedirectory":"/home/i/it-rc-test-faculty",
"userpassword":"MyPasswordInTheClear",
"givenname":"RC TEST - Faculty",
"sn":"Service_Account"
}]
}
I get a password expiry time like so:
$ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration
krbpasswordexpiration: 20130602163523Z
That's clearly not one year into the future, but more like 90 days.
Is there something else I'm missing or are we looking at a bug?
I still can't reproduce this. I tried from our 3.x branch and the 2.2
bits on 6.3.
Can you do: ipa pwpolicy-show --user=it-rc-test-faculty
This will show the policy applied to that user.
Might also check /var/log/dirsrv/slapd-REALM/errors for anything suspicious.
rob
Many thanks,
-Brian
On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek <mko...@redhat.com
<mailto:mko...@redhat.com>> wrote:
On 02/25/2013 04:38 PM, Brian Smith wrote:
> It seems that regardless of the global password expiry setting,
that setting a
> password via the methods
>
> user-add
> passwd
>
> i will always have a password that expires in 90 days. I
followed the
> instructions here http://freeipa.org/page/PasswordSynchronization
>
> to avoid the immediate expiry, but I need at least 180 days for my
> configuration to work.
>
> Any help would be appreciated!
>
> --
> Brian Smith
> Assistant Director
> Research Computing, University of South Florida
> 4202 E. Fowler Ave. SVC4010
> Office Phone: +1 813 974-1467 <tel:%2B1%20813%20974-1467>
> Organization URL: http://rc.usf.edu
>
Hello Brian,
Updating maximum password expiration time with "ipa pwpolicy-mod"
affects only
new passwords, i.e. password that you already changed will have the
old lifetime.
When I tested this on Fedora 18, password change worked for me:
# ipa pwpolicy-mod --maxlife 180
Group: global_policy
Max lifetime (days): 180
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
# ipa user-add --first=Foo --last=Bar fbar
-----------------
Added user "fbar"
-----------------
User login: fbar
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/fbar
GECOS field: Foo Bar
Login shell: /bin/sh
Kerberos principal: f...@example.com <mailto:f...@example.com>
Email address: f...@example.com <mailto:f...@example.com>
UID: 1758200001
GID: 1758200001
Password: False
Member of groups: ipausers
Kerberos keys available: False
# ipa passwd fbar
New Password:
Enter New Password again to verify:
---------------------------------------
Changed password for "f...@example.com <mailto:f...@example.com>"
---------------------------------------
$ ssh f...@ipa.client.fqdn
f...@ipa.client.fqdn's password:
Password expired. Change your password now.
Last login: Tue Feb 26 09:16:39 2013 from 10.0.0.1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user fbar.
Current Password:
New password:
Retype new password:
Your password will expire in 180 day(s). <<<<<<<<<<<<<<<
passwd: all authentication tokens updated successfully.
Connection to ipa.client.fqdn closed.
Does this usecase work for you or are you hitting a bug?
As for the warning about expiring password, this is a bug in sssd
component
which was already fixed upstream:
https://fedorahosted.org/sssd/ticket/1808
Martin
--
Brian Smith
Assistant Director
Research Computing, University of South Florida
4202 E. Fowler Ave. SVC4010
Office Phone: +1 813 974-1467
Organization URL: http://rc.usf.edu
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
