On 10/02/2015 14:36, Rob Crittenden wrote:
Roderick Johnstone wrote:
On 10/02/15 07:44, Dmitri Pal wrote:
On 02/09/2015 05:35 PM, Roderick Johnstone wrote:

I seem to have locked myself out of my ipa admin account (on RHEL
6.6). This is an evaluation instance so not too big a deal, but a good
learning experience. I suspect its some changes that I made to the
password policy that caused this.

The admin account has expired and I'm trying to reset the password
like this:

# kadmin.local
Authenticating as principal root/admin@REALM with password.
kadmin.local:  change_password admin@REALM
Enter password for principal "admin@REALM":
Re-enter password for principal "admin@REALM":
Password for "admin@REALM" changed.
kadmin.local:  q

where REALM is my realm.

Then when I try to authenticate as admin:

# kinit admin
Password for admin@REALM:
Password expired.  You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials

and the password is not reset.

This is what the password policy looks like at the moment:

kadmin.local:  get_policy global_policy
Policy: global_policy
Maximum password life: 864000000
Minimum password life: 0
Minimum password length: 8
Minimum number of password character classes: 0
Number of old keys kept: 0
Reference count: 0
Maximum password failures before lockout: 6
Password failure count reset interval: 0 days 00:01:00
Password lockout duration: 0 days 00:10:00

I'm trying to set this back to the defaults in the hope that this
allows me to reset the admin password properly, but I'm getting eg:

kadmin.local:  modify_policy -maxlife "90 days" global_policy
modify_policy: Plugin does not support the operation while modifying
policy "global_policy".

Am I on the right track to fixing the admin password problem?

What am I doing wrong in trying to repair the password policy?

Actually when I do the following it looks strange that Policy is set
to none, but maybe this is a red herring:

kadmin.local:  get_principal admin
Principal: admin@REALM
Expiration date: [never]
Last password change: Mon Feb 09 18:28:09 GMT 2015
Password expiration date: Tue May 22 11:59:53 GMT 1906
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind@REALM)
Last successful authentication: Mon Feb 09 18:27:00 GMT 2015
Last failed authentication: Mon Feb 09 18:25:24 GMT 2015
Failed password attempts: 0
Number of keys: 4
Key: vno 16, aes256-cts-hmac-sha1-96, Version 5
Key: vno 16, aes128-cts-hmac-sha1-96, Version 5
Key: vno 16, des3-cbc-sha1, Version 5
Key: vno 16, arcfour-hmac, Version 5
MKey: vno 1
Policy: [none]

Thanks for any help in diagnosing this issue or fixing it.

Roderick Johnstone

Did you set password expiration for admin manually?

ok, as far as I remember, I originally changed the global_policy and
then encountered the problem described above. ie I couldn't authenticate
as admin using:
kinit admin

In trying to resolve this I found a thread that suggested to change the
admin password with:
ldappasswd -x -D 'cn=directory manager' -W -S

Maybe this was a bad move?

The attribute shows that it is 1906. This makes me think that you set
your expiration to a big number. However the value rolls over in 2038.
So you need to make sure what you set translates to a date before 2038.

I suspect I did set the expiration to too big a number originally. After
I was in the always expired loop I found a number of threads mentioning
this wrap around issue and I have tried a number of things to fix it, so
maybe I'm just making things worse.

Why are you using kdamin.local?  With IPA it is not supported.

Out of ignorance I guess. I'm still finding my way into all this stuff!

What is the recommended way to reset an admin password in ipa when you
can't authenticate as admin?

There is a
bunch of IPA commands that do the same.

But if kinit admin won't authenticate me, how can I use the IPA commands?

How can I now reset the expiration date for admin when I can't
authenticate as admin?

The easiest path forward is to bind as Directory Manager and change the
password expiration date for the admin user. Then you can use that user
to more easily modify the password policy.

You want to change krbPasswordExpiration.



Thanks for your reply. Your email came while I was working on this. I seem to have achieved the same result by doing:

# ldapmodify -h localhost -x -W -D "cn=directory manager" -f krb.ldif

where I used:
# ldapsearch -x -b "dc=xxx,dc=xxx"
to find the entry for
dn: cn=global_policy,cn=XXX.XXX,cn=kerberos,dc=xxx,dc=xxx

I then made krb.ldif that contains:
dn: cn=global_policy,cn=XXX.XXX,cn=kerberos,dc=xxx,dc=xxx
changetype: modify
replace: krbMaxPwdLife
krbMaxPwdLife: 864000

Then I was able to reset the password with kadmin.local as before.

I see that your solution is much more direct. I'm still learning about all this.

Thanks again.


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to