On 07/17/2013 07:03 PM, Joseph, Matthew (EXP) wrote:
> I’ve seem to run into an issue with our admin account on our FreeIPA server.
> Our password expired (I thought I disabled the password expiration for this
> account) and when I run kinit admin it prompts me for a new password.
> I type in the old password and then the new one two times but then it states
> that kinit: Password has expired while getting initial credentials.
> When I run kinit admin again on it the new password is actually set but it
> tells me that again I need to change the password.
> Luckily that is not our only admin account for FreeIPA but can someone please
> explain what is happening here?
Can you check the krbpasswordexpiration attribute in the admin account after
the password change failed?
$ ipa user-show admin --all | grep krbpasswordexpiration
In the past, I saw a similar failure when somebody configured a password policy
(either global or for a group) to a too high value causing some timestamps in
KDC<->LDAP layer to overflow - but this should be already fixed in current
FreeIPA version (https://fedorahosted.org/freeipa/ticket/3312).
You can get the policy with:
$ ipa pwpolicy-show # get the global policy
$ ipa pwpolicy-show admins # gets admins group policy (if you defined it)
Freeipa-users mailing list