On 02/09/2015 05:35 PM, Roderick Johnstone wrote:

I seem to have locked myself out of my ipa admin account (on RHEL 6.6). This is an evaluation instance so not too big a deal, but a good learning experience. I suspect its some changes that I made to the password policy that caused this.

The admin account has expired and I'm trying to reset the password like this:

# kadmin.local
Authenticating as principal root/admin@REALM with password.
kadmin.local:  change_password admin@REALM
Enter password for principal "admin@REALM":
Re-enter password for principal "admin@REALM":
Password for "admin@REALM" changed.
kadmin.local:  q

where REALM is my realm.

Then when I try to authenticate as admin:

# kinit admin
Password for admin@REALM:
Password expired.  You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials

and the password is not reset.

This is what the password policy looks like at the moment:

kadmin.local:  get_policy global_policy
Policy: global_policy
Maximum password life: 864000000
Minimum password life: 0
Minimum password length: 8
Minimum number of password character classes: 0
Number of old keys kept: 0
Reference count: 0
Maximum password failures before lockout: 6
Password failure count reset interval: 0 days 00:01:00
Password lockout duration: 0 days 00:10:00

I'm trying to set this back to the defaults in the hope that this allows me to reset the admin password properly, but I'm getting eg:

kadmin.local:  modify_policy -maxlife "90 days" global_policy
modify_policy: Plugin does not support the operation while modifying policy "global_policy".

Am I on the right track to fixing the admin password problem?

What am I doing wrong in trying to repair the password policy?

Actually when I do the following it looks strange that Policy is set to none, but maybe this is a red herring:

kadmin.local:  get_principal admin
Principal: admin@REALM
Expiration date: [never]
Last password change: Mon Feb 09 18:28:09 GMT 2015
Password expiration date: Tue May 22 11:59:53 GMT 1906
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind@REALM)
Last successful authentication: Mon Feb 09 18:27:00 GMT 2015
Last failed authentication: Mon Feb 09 18:25:24 GMT 2015
Failed password attempts: 0
Number of keys: 4
Key: vno 16, aes256-cts-hmac-sha1-96, Version 5
Key: vno 16, aes128-cts-hmac-sha1-96, Version 5
Key: vno 16, des3-cbc-sha1, Version 5
Key: vno 16, arcfour-hmac, Version 5
MKey: vno 1
Policy: [none]

Thanks for any help in diagnosing this issue or fixing it.

Roderick Johnstone

Did you set password expiration for admin manually?
The attribute shows that it is 1906. This makes me think that you set your expiration to a big number. However the value rolls over in 2038. So you need to make sure what you set translates to a date before 2038.

Why are you using kdamin.local? With IPA it is not supported. There is a bunch of IPA commands that do the same.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to