Alex Chistyakov wrote: > Hello, > > We have a FreeIPA-based system, admin's password has expired and needs to be > changed but the standard password changing procedure over SSH fails: > > sashka@cellar ~ ssh ad...@ipa.xxxxxxxxxx.com > ad...@ipa.goodwix.com's password: > Password expired. Change your password now. > Last failed login: Mon Jun 30 15:38:21 MSK 2014 from 116.10.191.195 on > ssh:notty > There were 6071 failed login attempts since the last successful login. > Last login: Wed Apr 16 19:28:54 2014 > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user admin. > Current Password: > New password: > Retype new password: > Password change failed. Server message: Current password's minimum life has > not expired > > Password not changed. > passwd: Authentication token manipulation error > Connection to ipa.xxxxxxxxxx.com closed. > > If we try to change the password using passwd it fails too with the same > error message: > > [admin@ipa ~]$ passwd > Changing password for user admin. > Current Password: > New password: > Retype new password: > Password change failed. Server message: Current password's minimum life has > not expired > > Password not changed. > passwd: Authentication token manipulation error > [admin@ipa ~]$ > > What should we do to resolve this situation?
I'd eventually look at your password policy to see what the min/max values are. To force a password change and avoid password policy you need to bind as the Directory Manager. Using ldappasswd will help with that: $ ldappasswd -x -D 'cn=Directory Manager' -W uid=admin,cn=users,cn=accounts,dc=example,dc=com -A -S Old password: Re-enter old password: New password: Re-enter new password: Enter LDAP Password: I'd run this on the IPA master for easeo-of-use. It should havea pre-configured ldap.conf which sets the host and enables TLS. Otherwise you'll need to add a -h <host> and -Z to the command. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project