Hello! I've been discovered something about pwd_expiration on freeipa 4.1.4, I got a line from sssd_DOMAIN.log :
... snip ... (Thu Aug 13 12:25:39 2015) [sssd[be[mydomain.co.id]]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 ... snip ... $ ipa pwpolicy-find Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 The password policy should be available on next 90 days after I creating the password, isn't it? But I tried to login, the password was expired. $ sudo su - [sudo] password for subhan: Password expired. Change your password now. sudo: Account or password is expired, reset your password and try again Current Password: New password: Retype new password: sudo: pam_chauthtok: Authentication token manipulation error Every time I reset the password from ipa server, the password always expired before 90 days (based on global_policy). Got this from /var/log/secure (on ipa client): Aug 13 15:23:59 rosaliaindah sudo: pam_sss(sudo:auth): received for user subhan: 12 (Authentication token is no longer valid; new one required) Aug 13 15:24:01 rosaliaindah sudo: pam_sss(sudo:account): User info message: Password expired. Change your password now. Aug 13 15:24:01 rosaliaindah sudo: subhan : Account or password is expired, reset your password and try again ; TTY=pts/2 ; PWD=/home/subhan ; USER=root ; COMMAND=/bin/su - Aug 13 15:24:01 rosaliaindah sudo: pam_unix(sudo:chauthtok): user "subhan" does not exist in /etc/passwd Aug 13 15:24:09 rosaliaindah sudo: pam_unix(sudo:chauthtok): user "subhan" does not exist in /etc/passwd Aug 13 15:24:10 rosaliaindah sudo: pam_sss(sudo:chauthtok): Password change failed for user subhan: 22 (Authentication token lock busy) Aug 13 15:24:10 rosaliaindah sudo: subhan : pam_chauthtok: Authentication token manipulation error ; TTY=pts/2 ; PWD=/home/subhan ; USER=root ; COMMAND=/bin/su - Aug 13 15:24:11 rosaliaindah sudo: pam_unix(sudo:auth): conversation failed Aug 13 15:24:11 rosaliaindah sudo: pam_unix(sudo:auth): auth could not identify password for [subhan] Got clue form http://www.redhat.com/archives/freeipa-users/2015-January/msg00183.html, but still no luck. I add krb5_auth_timeout = 30s to sssd.conf. Note: krb5_child.log shows nothing. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
