On 07/17/2013 07:03 PM, Joseph, Matthew (EXP) wrote: > Hello, > > > > I’ve seem to run into an issue with our admin account on our FreeIPA server. > > Our password expired (I thought I disabled the password expiration for this > account) and when I run kinit admin it prompts me for a new password. > > I type in the old password and then the new one two times but then it states > that kinit: Password has expired while getting initial credentials. > > When I run kinit admin again on it the new password is actually set but it > tells me that again I need to change the password. > > > > Luckily that is not our only admin account for FreeIPA but can someone please > explain what is happening here?
Can you check the krbpasswordexpiration attribute in the admin account after the password change failed? $ ipa user-show admin --all | grep krbpasswordexpiration In the past, I saw a similar failure when somebody configured a password policy (either global or for a group) to a too high value causing some timestamps in KDC<->LDAP layer to overflow - but this should be already fixed in current FreeIPA version (https://fedorahosted.org/freeipa/ticket/3312). You can get the policy with: $ ipa pwpolicy-show # get the global policy $ ipa pwpolicy-show admins # gets admins group policy (if you defined it) Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users