Janelle wrote: > On 9/28/15 6:10 AM, Rob Crittenden wrote: >> Janelle wrote: >>> Hello, >>> >>> I continue to see these a lot, but only on some servers. It causes a lot >>> of confusions with my users. There must be a way to troubleshoot this >>> and find the issue. Also, there is nothing wrong with the password >>> policies. They are all set to default, and this occurs even when a >>> user's password has expired. The only thing I can say is it tends to >>> happen on more heavily loaded servers than lightly loaded ones. And >>> perhaps the most important point - the password *IS* changed >>> successfully! >>> >>> Changing password for user expired-user. >>> Current Password: >>> New password: >>> Retype new password: >>> Password change failed. Server message: Current password's minimum life >>> has not expired >>> >>> Password not changed. >>> passwd: Authentication token manipulation error >>> >>> Thoughts? Anything? >>> >>> ~Janelle >>> >> What tool is changing the expired password? >> >> I'd be curious to see the password policy for the user, ipa >> pwpolicy-show --user=<user> >> >> Seeing the krbLastPwdChange >> and krbPasswordExpiration might be handy too. >> >> rob > Hi, > > I was hoping it would not go off on this tangent. All users have the > default PW policy -- there are no differences and every single user has > the same problem.
Well, I don't see it as a tangent. If the min time is > max time, I don't know how the backend handles that off the top of my head. Something thinks the password isn't old enough yet and that is a calculated value. > The tool is simple "passwd" or, in the case of some users who have > actually hit the 90 expiry, nothing more than a simple login followed by > the system saying your password has expired, please change it. > > The krbLastPwdChange shows the exact day/time of the user changing their > PW, in this case, when this error occurs. The expiration shows 90 days > from that time. If you see the specifics I mentioned, even though the > error is presented, the password is actually changed. Really confused > with this one. And that's why I wanted to see the policy. Too young is defined as cur_time < last password change + min password life. Who knows, maybe it is a units issue. In both the KDC and LDAP code this appears to be a show-stopping error which is why trying to duplicate it using your values would be useful. Knowing the version of IPA would help too. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project