I'm going to dig into it further, hopefully produce a patch in the next few days. My work-around for right now is ldapmodifying the krbPasswordExpiration attribute on the account after creation and subsequent password updates.
On Wed, Mar 6, 2013 at 8:40 AM, Dmitri Pal <[email protected]> wrote: > On 03/05/2013 10:28 PM, Brian Smith wrote: > > I set the policy to 1 year and recreated the account. > > $ ipa pwpolicy-show --user=it-rc-test-faculty > Group: global_policy > Max lifetime (days): 365 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 8 > Max failures: 10 > Failure reset interval: 60 > Lockout duration: 600 > > Looks like a bug was filed for this about 9 months ago: > https://fedorahosted.org/freeipa/ticket/2795 > > I can also confirm the same behavior when the policy is set to 0 days, > less than 90 days, or if I create a separate password policy for users in > the ipausers group. The result is always 90 days. > > If the user updates the password themselves (after initial login) then > the password policy works and sets the expiry accordingly. > > The user that is adding the users with userpasswd set appears in the > passsyncmanagersdns list: > > passsyncmanagersdns: > uid=rc-user-svcacct,cn=users,cn=accounts,dc=rc,dc=usf,dc=edu > > > Can you work around this issue? > While it was filed 9 months ago it was found to not be that critical so we > deferred it till later time. > Patches are always welcome too :-) > > > > > On Mon, Mar 4, 2013 at 2:40 PM, Rob Crittenden <[email protected]>wrote: > >> Brian Smith wrote: >> >>> Thanks for your response, and sorry for my late response. I'm on RHEL6, >>> using the packages from the distribution >>> repository, ipa-server-2.2.0-17.el6_3.1.x86_64 >>> >>> My pwpolicy is set as such (in testing): >>> >>> $ ipa pwpolicy-show --all >>> dn: cn=global_policy,cn=rc.usf.edu >>> <http://rc.usf.edu>,cn=kerberos,dc=rc,dc=usf,dc=edu >>> >>> Group: global_policy >>> Max lifetime (days): 365 >>> Min lifetime (hours): 1 >>> History size: 0 >>> Character classes: 0 >>> Min length: 8 >>> Max failures: 10 >>> Failure reset interval: 60 >>> Lockout duration: 600 >>> objectclass: top, nsContainer, krbPwdPolicy >>> >>> >>> If I create an account and set the password using the following JSON >>> string, against $server/ipa/json, say today, >>> >>> { >>> "method":"user_add", >>> "params":[ [], >>> { >>> "uid":"it-rc-test-faculty", >>> "homedirectory":"/home/i/it-rc-test-faculty", >>> "userpassword":"MyPasswordInTheClear", >>> "givenname":"RC TEST - Faculty", >>> "sn":"Service_Account" >>> }] >>> } >>> >>> I get a password expiry time like so: >>> >>> $ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration >>> krbpasswordexpiration: 20130602163523Z >>> >>> That's clearly not one year into the future, but more like 90 days. >>> >>> Is there something else I'm missing or are we looking at a bug? >>> >> >> I still can't reproduce this. I tried from our 3.x branch and the 2.2 >> bits on 6.3. >> >> Can you do: ipa pwpolicy-show --user=it-rc-test-faculty >> >> This will show the policy applied to that user. >> >> Might also check /var/log/dirsrv/slapd-REALM/errors for anything >> suspicious. >> >> rob >> >> >>> Many thanks, >>> -Brian >>> >>> >>> On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> On 02/25/2013 04:38 PM, Brian Smith wrote: >>> > It seems that regardless of the global password expiry setting, >>> that setting a >>> > password via the methods >>> > >>> > user-add >>> > passwd >>> > >>> > i will always have a password that expires in 90 days. I >>> followed the >>> > instructions here http://freeipa.org/page/PasswordSynchronization >>> > >>> > to avoid the immediate expiry, but I need at least 180 days for my >>> > configuration to work. >>> > >>> > Any help would be appreciated! >>> > >>> > -- >>> > Brian Smith >>> > Assistant Director >>> > Research Computing, University of South Florida >>> > 4202 E. Fowler Ave. SVC4010 >>> > Office Phone: +1 813 974-1467 <tel:%2B1%20813%20974-1467> >>> >>> > Organization URL: http://rc.usf.edu >>> > >>> >>> Hello Brian, >>> >>> Updating maximum password expiration time with "ipa pwpolicy-mod" >>> affects only >>> new passwords, i.e. password that you already changed will have the >>> old lifetime. >>> >>> When I tested this on Fedora 18, password change worked for me: >>> >>> # ipa pwpolicy-mod --maxlife 180 >>> Group: global_policy >>> Max lifetime (days): 180 >>> Min lifetime (hours): 1 >>> History size: 0 >>> Character classes: 0 >>> Min length: 8 >>> Max failures: 6 >>> Failure reset interval: 60 >>> Lockout duration: 600 >>> >>> # ipa user-add --first=Foo --last=Bar fbar >>> ----------------- >>> Added user "fbar" >>> ----------------- >>> User login: fbar >>> First name: Foo >>> Last name: Bar >>> Full name: Foo Bar >>> Display name: Foo Bar >>> Initials: FB >>> Home directory: /home/fbar >>> GECOS field: Foo Bar >>> Login shell: /bin/sh >>> Kerberos principal: [email protected] <mailto:[email protected]> >>> Email address: [email protected] <mailto:[email protected]> >>> >>> UID: 1758200001 >>> GID: 1758200001 >>> Password: False >>> Member of groups: ipausers >>> Kerberos keys available: False >>> # ipa passwd fbar >>> New Password: >>> Enter New Password again to verify: >>> --------------------------------------- >>> Changed password for "[email protected] <mailto:[email protected]>" >>> >>> --------------------------------------- >>> >>> $ ssh [email protected] >>> [email protected]'s password: >>> Password expired. Change your password now. >>> Last login: Tue Feb 26 09:16:39 2013 from 10.0.0.1 >>> WARNING: Your password has expired. >>> You must change your password now and login again! >>> Changing password for user fbar. >>> Current Password: >>> New password: >>> Retype new password: >>> Your password will expire in 180 day(s). <<<<<<<<<<<<<<< >>> passwd: all authentication tokens updated successfully. >>> Connection to ipa.client.fqdn closed. >>> >>> Does this usecase work for you or are you hitting a bug? >>> >>> >>> As for the warning about expiring password, this is a bug in sssd >>> component >>> which was already fixed upstream: >>> >>> https://fedorahosted.org/sssd/ticket/1808 >>> >>> Martin >>> >>> >>> >>> >>> -- >>> Brian Smith >>> Assistant Director >>> Research Computing, University of South Florida >>> 4202 E. Fowler Ave. SVC4010 >>> Office Phone: +1 813 974-1467 >>> Organization URL: http://rc.usf.edu >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> > > > -- > Brian Smith > Assistant Director > Research Computing, University of South Florida > 4202 E. Fowler Ave. SVC4010 > Office Phone: +1 813 974-1467 > Organization URL: http://rc.usf.edu > > > _______________________________________________ > Freeipa-users mailing > [email protected]https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Brian Smith Assistant Director Research Computing, University of South Florida 4202 E. Fowler Ave. SVC4010 Office Phone: +1 813 974-1467 Organization URL: http://rc.usf.edu
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
