https://bugzilla.redhat.com/show_bug.cgi?id=891977 (Red Hat Enterprise Linux 7)
When password max lifetime is set to 9999, password change fails due to password change expiration time being set in the past: # ipa pwpolicy-mod --maxlife 9999 Group: global_policy Max lifetime (days): 9999 Min lifetime (hours): 1 History size: 1 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 $ ssh fbar9@vm-060.idm.lab.bos.redhat.com fbar9@vm-060.idm.lab.bos.redhat.com's password: Password expired. Change your password now. WARNING: Your password has expired. You must change your password now and login again! Changing password for user fbar9. Current Password: New password: Retype new password: passwd: Authentication token manipulation error Connection to vm-060.idm.lab.bos.redhat.com closed. # ipa user-show fbar9 --all --raw dn: uid=fbar9,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid: fbar9 givenname: Foo sn: bar cn: Foo bar displayname: Foo bar initials: Fb homedirectory: /home/fbar9 gecos: Foo bar loginshell: /bin/sh krbprincipalname: fbar9@IDM.LAB.BOS.REDHAT.COM uidnumber: 1297400012 gidnumber: 1297400012 nsaccountlock: False has_password: True has_keytab: True ipauniqueid: 3b9d1f88-49de-11e2-b9cf-001a4a104e37 krbextradata: AAIgvtFQa2FkbWluZEBJRE0uTEFCLkJPUy5SRURIQVQuQ09NAA== krblastpwdchange: 20121219131616Z krblastsuccessfulauth: 20121219131616Z krbloginfailedcount: 0 krbpasswordexpiration: 19040330064800Z <<<<<<<<< krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com krbticketflags: 128 memberof: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com mepmanagedentry: cn=fbar9,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: ipasshuser objectclass: ipaSshGroupOfPubKeys objectclass: mepOriginEntry Note: Max lifetime set to 5000 works.
This is reproducible only if --maxlife is set to at least 9999 days = 27.39 years, which results into date beyond Tuesday, 19 January 2038 for password expiration with current dates.
See http://en.wikipedia.org/wiki/Year_2038_problem
This has the same cause as #3114
master: 0e8a329[[BR]] ipa-3-1: 4d17b72
Metadata Update from @mkosek: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 3.2 - 2013/02
Login to comment on this ticket.