On (13/08/15 15:39), Dewangga Bachrul Alam wrote:
>I've been discovered something about pwd_expiration on freeipa 4.1.4,
>I got a line from sssd_DOMAIN.log :
>... snip ...
>(Thu Aug 13 12:25:39 2015) [sssd[be[mydomain.co.id]]]
>[confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
>... snip ...
>$ ipa pwpolicy-find
> Group: global_policy
> Max lifetime (days): 90
> Min lifetime (hours): 1
> History size: 0
> Character classes: 0
> Min length: 8
> Max failures: 6
> Failure reset interval: 60
> Lockout duration: 600
>The password policy should be available on next 90 days after I creating
>the password, isn't it? But I tried to login, the password was expired.
>$ sudo su -
>[sudo] password for subhan:
>Password expired. Change your password now.
>sudo: Account or password is expired, reset your password and try again
>Retype new password:
>sudo: pam_chauthtok: Authentication token manipulation error
>Every time I reset the password from ipa server, the password always
>expired before 90 days (based on global_policy).
If you reset password from web UI (or command line)
then the user need to change that password.
It's by design. The administrator should not know your password.
situation is different if the password was changed with command line utility
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project