Re: [Freeipa-users] Can't change password of FreeIPA admin - “Current password's minimum life has not expired”

[Dmitri Pal]

On 06/30/2014 09:03 AM, Rob Crittenden wrote:

Alex Chistyakov wrote:

Hello,

We have a FreeIPA-based system, admin's password has expired and needs to be 
changed but the standard password changing procedure over SSH fails:

   sashka@cellar ~ ssh ad...@ipa.xxxxxxxxxx.com
   ad...@ipa.goodwix.com's password:
   Password expired. Change your password now.
   Last failed login: Mon Jun 30 15:38:21 MSK 2014 from 116.10.191.195 on 
ssh:notty
   There were 6071 failed login attempts since the last successful login.
   Last login: Wed Apr 16 19:28:54 2014
   WARNING: Your password has expired.
   You must change your password now and login again!
   Changing password for user admin.
   Current Password:
   New password:
   Retype new password:
   Password change failed. Server message: Current password's minimum life has 
not expired

   Password not changed.
   passwd: Authentication token manipulation error
   Connection to ipa.xxxxxxxxxx.com closed.

If we try to change the password using passwd it fails too with the same error 
message:

   [admin@ipa ~]$ passwd
   Changing password for user admin.
   Current Password:
   New password:
   Retype new password:
   Password change failed. Server message: Current password's minimum life has 
not expired

   Password not changed.
   passwd: Authentication token manipulation error
   [admin@ipa ~]$

What should we do to resolve this situation?

I'd eventually look at your password policy to see what the min/max
values are.

To force a password change and avoid password policy you need to bind as
the Directory Manager. Using ldappasswd will help with that:

$ ldappasswd  -x -D 'cn=Directory Manager' -W
uid=admin,cn=users,cn=accounts,dc=example,dc=com -A -S
Old password:
Re-enter old password:
New password:
Re-enter new password:
Enter LDAP Password:

I'd run this on the IPA master for easeo-of-use. It should havea
pre-configured ldap.conf which sets the host and enables TLS. Otherwise
you'll need to add a -h <host> and -Z to the command.

rob

Alex,

Is there anything we can learn from this?
Was it a misconfiguration or something else?
Could we have done something better to avoid situations like this?

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project