I seem to have locked myself out of my ipa admin account (on RHEL 6.6). This is an evaluation instance so not too big a deal, but a good learning experience. I suspect its some changes that I made to the password policy that caused this.

The admin account has expired and I'm trying to reset the password like this:

# kadmin.local
Authenticating as principal root/admin@REALM with password.
kadmin.local:  change_password admin@REALM
Enter password for principal "admin@REALM":
Re-enter password for principal "admin@REALM":
Password for "admin@REALM" changed.
kadmin.local:  q

where REALM is my realm.

Then when I try to authenticate as admin:

# kinit admin
Password for admin@REALM:
Password expired.  You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials

and the password is not reset.

This is what the password policy looks like at the moment:

kadmin.local:  get_policy global_policy
Policy: global_policy
Maximum password life: 864000000
Minimum password life: 0
Minimum password length: 8
Minimum number of password character classes: 0
Number of old keys kept: 0
Reference count: 0
Maximum password failures before lockout: 6
Password failure count reset interval: 0 days 00:01:00
Password lockout duration: 0 days 00:10:00

I'm trying to set this back to the defaults in the hope that this allows me to reset the admin password properly, but I'm getting eg:

kadmin.local:  modify_policy -maxlife "90 days" global_policy
modify_policy: Plugin does not support the operation while modifying policy "global_policy".

Am I on the right track to fixing the admin password problem?

What am I doing wrong in trying to repair the password policy?

Actually when I do the following it looks strange that Policy is set to none, but maybe this is a red herring:

kadmin.local:  get_principal admin
Principal: admin@REALM
Expiration date: [never]
Last password change: Mon Feb 09 18:28:09 GMT 2015
Password expiration date: Tue May 22 11:59:53 GMT 1906
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind@REALM)
Last successful authentication: Mon Feb 09 18:27:00 GMT 2015
Last failed authentication: Mon Feb 09 18:25:24 GMT 2015
Failed password attempts: 0
Number of keys: 4
Key: vno 16, aes256-cts-hmac-sha1-96, Version 5
Key: vno 16, aes128-cts-hmac-sha1-96, Version 5
Key: vno 16, des3-cbc-sha1, Version 5
Key: vno 16, arcfour-hmac, Version 5
MKey: vno 1
Policy: [none]

Thanks for any help in diagnosing this issue or fixing it.

Roderick Johnstone

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to