urgrue wrote:
> Here are some examples:
> 
> [root@mule ~]# ipa user-status freddie
> -----------------------
> Account disabled: False
> -----------------------
>   Server: mule.bulb
>   Failed logins: 0
>   Last successful authentication: 2015-10-28T09:03:48Z
>   Last failed authentication: 2015-10-28T09:03:40Z
>   Time now: 2015-10-28T18:05:51Z
> ----------------------------
> Number of entries returned 1
> ----------------------------
> [root@mule ~]# ipa user-show freddie
>   User login: freddie
>   First name: fred
>   Last name: orispaa
>   Home directory: /home/freddie
>   Login shell: /bin/sh
>   UID: 50001
>   GID: 50001
>   Account disabled: False
>   Password: True
>   Member of groups: admins, ipausers
>   Indirect Member of Sudo rule: allow_all
>   Kerberos keys available: True
>   SSH public key fingerprint:
> DA:54:C4:27:3A:23:00:AE:AE:60:B7:1B:E1:E4:03:C5
>                               freddie@mule (ssh-rsa)
> 
> With SSH:
> 
> [root@mule ~]$ ssh freddie@mule
> freddie@mule's password:
> Password expired. Change your password now.
> Last login: Wed Oct 28 10:03:44 2015 from 127.0.0.1
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user freddie.
> Current Password:
> New password:
> Retype new password:
> passwd: Authentication token is no longer valid; new one required
> Connection to mule closed.
> 
> (Now if I login again, the same process repeats, except the password has
> indeed changes)
> 
> With su the output is less informative:
> [jj@mule ~]$ su - freddie
> Password:
> Password expired. Change your password now.
> Current Password:
> New password:
> Retype new password:
> su: incorrect password
> 
> (the password was correct and it HAS changed even though the output
> implies I entered the wrong current password).
> 
> Doing kinit:
> 
> -sh-4.1$ id
> uid=50001(freddie) gid=50001(freddie) groups=50001(freddie),50000(admins)
> -sh-4.1$ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)
> -sh-4.1$ kinit
> Password for freddie@BULB:
> Password expired.  You must change it now.
> Enter new password:
> Enter it again:
> kinit: Password has expired while getting initial credentials
> -sh-4.1$ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)
> 
> (again the password HAS changed)
> 
> In case it's of any relevance, note that root has no issue with kerberos
> credentials:
> [root@mule ~]# kinit admin
> Password for admin@BULB:
> [root@mule ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin@BULB
> 
> Valid starting     Expires            Service principal
> 10/28/15 19:14:56  10/29/15 19:14:53  krbtgt/BULB@BULB

I don't see this as root vs other users, you are using a different
principal.

This makes me wonder if the password policy is strange.

You might also want to kinit as freddie and go through the password
reset again, then search LDAP for freddie's password expiration:

$ ldapsearch -Y GSSAPI -s base -b
uid=freddie,cn=users,cn=accounts,dc=example,dc=com krbPasswordExpiration

And check out freddie's password policy:

$ ipa pwpolicy-show --user freddie

rob

> 
> 
> 
> On Wed, Oct 28, 2015 at 2:44 PM, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
> 
>     urgrue wrote:
>     > Didn't realize it was GMT, so OK that's not the issue. Any suggestions
>     > on how to debug it? Everything looks OK, but passwords are just
>     > perma-expired at all times.
> 
>     Need more info on what you're seeing and how the passwords are being
>     changed.
> 
>     rob
> 
>     >
>     >
>     > On Tue, Oct 27, 2015, 21:45 Rob Crittenden <rcrit...@redhat.com 
> <mailto:rcrit...@redhat.com>
>     > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
>     >
>     >     urgrue wrote:
>     >     > Hi,
>     >     > On a new install, I'm being forced a password reset on every
>     >     login. Not
>     >     > sure why but this doesn't look right:
>     >     >
>     >     > # date
>     >     > Tue Oct 27 21:02:57 CET 2015
>     >     >
>     >     > # ipa user-status blah1
>     >     > <snip>
>     >     >   Last successful authentication: 2015-10-27T19:34:53Z
>     >     >   Last failed authentication: 2015-10-27T19:34:20Z
>     >     >   Time now: 2015-10-27T20:03:00Z
>     >     >
>     >     > Where is it getting this wrong time from?
>     >
>     >     What's wrong with the time? CET is one hour behind GMT right?
>     That is
>     >     reflected by the difference between the output of date and
>     "Time now".
>     >
>     >     Passwords administratively reset must be set by the user
>     during the
>     >     first authentication. If the password needs further reset then
>     yeah,
>     >     something is wrong, but the above looks ok.
>     >
>     >     rob
>     >
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to