I'm going to dig into it further, hopefully produce a patch in the next few
days.  My work-around for right now is ldapmodifying
the krbPasswordExpiration attribute on the account after creation and
subsequent password updates.


On Wed, Mar 6, 2013 at 8:40 AM, Dmitri Pal <d...@redhat.com> wrote:

>  On 03/05/2013 10:28 PM, Brian Smith wrote:
>
>  I set the policy to 1 year and recreated the account.
>
>  $ ipa pwpolicy-show --user=it-rc-test-faculty
>   Group: global_policy
>   Max lifetime (days): 365
>   Min lifetime (hours): 1
>   History size: 0
>   Character classes: 0
>   Min length: 8
>   Max failures: 10
>   Failure reset interval: 60
>   Lockout duration: 600
>
>  Looks like a bug was filed for this about 9 months ago:
> https://fedorahosted.org/freeipa/ticket/2795
>
>  I can also confirm the same behavior when the policy is set to 0 days,
> less than 90 days, or if I create a separate password policy for users in
> the ipausers group.  The result is always 90 days.
>
>  If the user updates the password themselves (after initial login) then
> the password policy works and sets the expiry accordingly.
>
>  The user that is adding the users with userpasswd set appears in the
> passsyncmanagersdns list:
>
>  passsyncmanagersdns:
> uid=rc-user-svcacct,cn=users,cn=accounts,dc=rc,dc=usf,dc=edu
>
>
> Can you work around this issue?
> While it was filed 9 months ago it was found to not be that critical so we
> deferred it till later time.
> Patches are always welcome too :-)
>
>
>
>
> On Mon, Mar 4, 2013 at 2:40 PM, Rob Crittenden <rcrit...@redhat.com>wrote:
>
>> Brian Smith wrote:
>>
>>>  Thanks for your response, and sorry for my late response.  I'm on RHEL6,
>>> using the packages from the distribution
>>> repository, ipa-server-2.2.0-17.el6_3.1.x86_64
>>>
>>> My pwpolicy is set as such (in testing):
>>>
>>> $ ipa pwpolicy-show --all
>>>    dn: cn=global_policy,cn=rc.usf.edu
>>>  <http://rc.usf.edu>,cn=kerberos,dc=rc,dc=usf,dc=edu
>>>
>>>    Group: global_policy
>>>    Max lifetime (days): 365
>>>    Min lifetime (hours): 1
>>>    History size: 0
>>>    Character classes: 0
>>>    Min length: 8
>>>    Max failures: 10
>>>    Failure reset interval: 60
>>>    Lockout duration: 600
>>>    objectclass: top, nsContainer, krbPwdPolicy
>>>
>>>
>>> If I create an account and set the password using the following JSON
>>> string, against $server/ipa/json, say today,
>>>
>>> {
>>>   "method":"user_add",
>>>   "params":[ [],
>>>     {
>>>       "uid":"it-rc-test-faculty",
>>>       "homedirectory":"/home/i/it-rc-test-faculty",
>>>       "userpassword":"MyPasswordInTheClear",
>>>       "givenname":"RC TEST - Faculty",
>>>       "sn":"Service_Account"
>>>     }]
>>> }
>>>
>>> I get a password expiry time like so:
>>>
>>> $ ipa user-show --all it-rc-test-faculty | grep krbpasswordexpiration
>>> krbpasswordexpiration: 20130602163523Z
>>>
>>> That's clearly not one year into the future, but more like 90 days.
>>>
>>> Is there something else I'm missing or are we looking at a bug?
>>>
>>
>> I still can't reproduce this. I tried from our 3.x branch and the 2.2
>> bits on 6.3.
>>
>> Can you do: ipa pwpolicy-show --user=it-rc-test-faculty
>>
>> This will show the policy applied to that user.
>>
>> Might also check /var/log/dirsrv/slapd-REALM/errors for anything
>> suspicious.
>>
>> rob
>>
>>
>>> Many thanks,
>>> -Brian
>>>
>>>
>>> On Tue, Feb 26, 2013 at 3:22 AM, Martin Kosek <mko...@redhat.com
>>>  <mailto:mko...@redhat.com>> wrote:
>>>
>>>     On 02/25/2013 04:38 PM, Brian Smith wrote:
>>>      > It seems that regardless of the global password expiry setting,
>>>     that setting a
>>>      > password via the methods
>>>      >
>>>      > user-add
>>>      > passwd
>>>      >
>>>      > i will always have a password that expires in 90 days.  I
>>>     followed the
>>>      > instructions here http://freeipa.org/page/PasswordSynchronization
>>>      >
>>>      > to avoid the immediate expiry, but I need at least 180 days for my
>>>      > configuration to work.
>>>      >
>>>      > Any help would be appreciated!
>>>      >
>>>      > --
>>>      > Brian Smith
>>>      > Assistant Director
>>>      > Research Computing, University of South Florida
>>>      > 4202 E. Fowler Ave. SVC4010
>>>       > Office Phone: +1 813 974-1467 <tel:%2B1%20813%20974-1467>
>>>
>>>      > Organization URL: http://rc.usf.edu
>>>      >
>>>
>>>     Hello Brian,
>>>
>>>     Updating maximum password expiration time with "ipa pwpolicy-mod"
>>>     affects only
>>>     new passwords, i.e. password that you already changed will have the
>>>     old lifetime.
>>>
>>>     When I tested this on Fedora 18, password change worked for me:
>>>
>>>     # ipa pwpolicy-mod --maxlife 180
>>>        Group: global_policy
>>>        Max lifetime (days): 180
>>>        Min lifetime (hours): 1
>>>        History size: 0
>>>        Character classes: 0
>>>        Min length: 8
>>>        Max failures: 6
>>>        Failure reset interval: 60
>>>        Lockout duration: 600
>>>
>>>     # ipa user-add --first=Foo --last=Bar fbar
>>>     -----------------
>>>     Added user "fbar"
>>>     -----------------
>>>        User login: fbar
>>>        First name: Foo
>>>        Last name: Bar
>>>        Full name: Foo Bar
>>>        Display name: Foo Bar
>>>        Initials: FB
>>>        Home directory: /home/fbar
>>>        GECOS field: Foo Bar
>>>        Login shell: /bin/sh
>>>         Kerberos principal: f...@example.com <mailto:f...@example.com>
>>>        Email address: f...@example.com <mailto:f...@example.com>
>>>
>>>        UID: 1758200001
>>>        GID: 1758200001
>>>        Password: False
>>>        Member of groups: ipausers
>>>        Kerberos keys available: False
>>>     # ipa passwd fbar
>>>     New Password:
>>>     Enter New Password again to verify:
>>>     ---------------------------------------
>>>      Changed password for "f...@example.com <mailto:f...@example.com>"
>>>
>>>     ---------------------------------------
>>>
>>>     $ ssh f...@ipa.client.fqdn
>>>     f...@ipa.client.fqdn's password:
>>>     Password expired. Change your password now.
>>>     Last login: Tue Feb 26 09:16:39 2013 from 10.0.0.1
>>>     WARNING: Your password has expired.
>>>     You must change your password now and login again!
>>>     Changing password for user fbar.
>>>     Current Password:
>>>     New password:
>>>     Retype new password:
>>>     Your password will expire in 180 day(s).    <<<<<<<<<<<<<<<
>>>     passwd: all authentication tokens updated successfully.
>>>     Connection to ipa.client.fqdn closed.
>>>
>>>     Does this usecase work for you or are you hitting a bug?
>>>
>>>
>>>     As for the warning about expiring password, this is a bug in sssd
>>>     component
>>>     which was already fixed upstream:
>>>
>>>     https://fedorahosted.org/sssd/ticket/1808
>>>
>>>     Martin
>>>
>>>
>>>
>>>
>>> --
>>> Brian Smith
>>> Assistant Director
>>> Research Computing, University of South Florida
>>> 4202 E. Fowler Ave. SVC4010
>>> Office Phone: +1 813 974-1467
>>> Organization URL: http://rc.usf.edu
>>>
>>>
>>>  _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>
>
>
>  --
> Brian Smith
> Assistant Director
> Research Computing, University of South Florida
> 4202 E. Fowler Ave. SVC4010
> Office Phone: +1 813 974-1467
> Organization URL: http://rc.usf.edu
>
>
> _______________________________________________
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>



-- 
Brian Smith
Assistant Director
Research Computing, University of South Florida
4202 E. Fowler Ave. SVC4010
Office Phone: +1 813 974-1467
Organization URL: http://rc.usf.edu
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to