Janelle wrote:
> On 9/28/15 6:10 AM, Rob Crittenden wrote:
>> Janelle wrote:
>>> Hello,
>>>
>>> I continue to see these a lot, but only on some servers. It causes a lot
>>> of confusions with my users. There must be a way to troubleshoot this
>>> and find the issue. Also, there is nothing wrong with the password
>>> policies. They are all set to default, and this occurs even when a
>>> user's password has expired.  The only thing I can say is it tends to
>>> happen on more heavily loaded servers than lightly loaded ones. And
>>> perhaps the most important point - the password *IS* changed
>>> successfully!
>>>
>>> Changing password for user expired-user.
>>> Current Password:
>>> New password:
>>> Retype new password:
>>> Password change failed. Server message: Current password's minimum life
>>> has not expired
>>>
>>> Password not changed.
>>> passwd: Authentication token manipulation error
>>>
>>> Thoughts? Anything?
>>>
>>> ~Janelle
>>>
>> What tool is changing the expired password?
>>
>> I'd be curious to see the password policy for the user, ipa
>> pwpolicy-show --user=<user>
>>
>> Seeing the krbLastPwdChange
>>   and krbPasswordExpiration might be handy too.
>>
>> rob
> Hi,
> 
> I was hoping it would not go off on this tangent. All users have the
> default PW policy -- there are no differences and every single user has
> the same problem.

Well, I don't see it as a tangent. If the min time is > max time, I
don't know how the backend handles that off the top of my head.
Something thinks the password isn't old enough yet and that is a
calculated value.

> The tool is simple "passwd" or, in the case of some users who have
> actually hit the 90 expiry, nothing more than a simple login followed by
> the system saying your password has expired, please change it.
> 
> The krbLastPwdChange shows the exact day/time of the user changing their
> PW, in this case, when this error occurs. The expiration shows 90 days
> from that time. If you see the specifics I mentioned, even though the
> error is presented, the password is actually changed. Really confused
> with this one.

And that's why I wanted to see the policy. Too young is defined as
cur_time < last password change + min password life. Who knows, maybe it
is a units issue.

In both the KDC and LDAP code this appears to be a show-stopping error
which is why trying to duplicate it using your values would be useful.

Knowing the version of IPA would help too.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to