You would need to do the modifications as Directory Manager or other user in "admins"group.

To resolve this, you would need manually fix admin entry attribute krbPasswordExpiration to some future date, kinit as admin and then fixing the global policy with some sane value (pwpolicy-mod).


Martin

On 06/02/2015 10:30 AM, Sandor Juhasz wrote:
It is confirmed, the password policy was changed with password expiration
beyond 2038.
Question is, how can we restore the pw policy without a working admin user?

*Sándor Juhász*
System Administrator
*ChemAxon**Ltd*.
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964

-------------------------------------------------------------------------------
*From: *"Martin Kosek" <mko...@redhat.com>
*To: *"Tamas Papp" <tom...@martos.bme.hu>, freeipa-users@redhat.com
*Sent: *Tuesday, June 2, 2015 9:54:43 AM
*Subject: *Re: [Freeipa-users] password expiration

On 06/01/2015 07:50 PM, Tamas Papp wrote:
 > hi All,
 >
 > I'm stuck:
 >
 >
 > $ kinit admin
 > Password for admin@CXCLIENTS:
 > kinit: Password incorrect while getting initial credentials
 > [root@ipa-clients1 ~]$ kinit admin
 > Password for admin@CXCLIENTS:
 > Password expired.  You must change it now.
 > Enter new password:
 > Enter it again:
 > kinit: Password has expired while getting initial credentials
 >
 >
 >
 >
 > $ kinit admin
 > Password for admin@CXCLIENTS:
 > Password expired.  You must change it now.
 > Enter new password:
 > Enter it again:
 > Password change rejected: Current password's minimum life has not expired
 >
 > Password not changed..  Please try again.
 >
 > Enter new password:
 >
 >
 >
 >
 > What can I do now?
 >
 >
 > Thanks,
 > tamas
 >

Hi Tamas,

What platform and FreeIPA version do you use? What actions did you do before
this happened? Were you for example changing the (global) password policy?
Setting a too high password life may case the Year 2038 problem and have
password validity in the past.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to