On Mon, Jul 06, 2015 at 02:25:56PM -0700, Janelle wrote: > On 7/6/15 10:44 AM, Simo Sorce wrote: > >On Mon, 2015-07-06 at 10:11 -0700, Janelle wrote: > >>Hello all, > >> > >>Is there any known bug that would cause: > >> > >>Password change failed. Server message: Current password's minimum life > >>has not expired > >> > >>Here is the environment/process (7.1 with IPA 4.1.4) -- > >>1. reset a user's PW so they are forced to change it. > >>2. they login and get the "Your password has expired..." message > >>3. They are then asked to change it and enter a new PW (twice) > >>4. This error message pops up, BUT -- the password is still changed. > >If they get this using kpasswd it may happen if a re-transmission > >occurs, as kpasswd uses UDP, so the second request ends up with that > >error, I think, not 100% sure. > > > >Simo. > > > This is very consistent - happening to all my users, and yet the IPA server > load is nothing. And since it does reset the PW successfully, why would it > still send this message?
Can you provide the SSSD domain and pam responder log files? If you prefer feel free to send them to me by pm. Besides updating the password on the server side SSSD does other things like e.g. updating the cached password hash. Maybe the server side update works as expected but some other operation fail causing this error message. bye, Sumit > > Still confused, > ~Janelle > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project