freeipa

Clone
Source Code
GIT

#3312 Users cannot change their passwords after password expiry change
Closed: Fixed None Opened 11 years ago by mkosek.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=891977 (Red Hat Enterprise Linux 7)

When password max lifetime is set to 9999, password change fails due to password change expiration time being set in the past:

# ipa pwpolicy-mod --maxlife 9999
  Group: global_policy
  Max lifetime (days): 9999
  Min lifetime (hours): 1
  History size: 1
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

$ ssh fbar9@vm-060.idm.lab.bos.redhat.com 
fbar9@vm-060.idm.lab.bos.redhat.com's password: 
Password expired. Change your password now.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user fbar9.
Current Password: 
New password: 
Retype new password: 
passwd: Authentication token manipulation error
Connection to vm-060.idm.lab.bos.redhat.com closed.

# ipa user-show fbar9 --all --raw
  dn: uid=fbar9,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  uid: fbar9
  givenname: Foo
  sn: bar
  cn: Foo bar
  displayname: Foo bar
  initials: Fb
  homedirectory: /home/fbar9
  gecos: Foo bar
  loginshell: /bin/sh
  krbprincipalname: fbar9@IDM.LAB.BOS.REDHAT.COM
  uidnumber: 1297400012
  gidnumber: 1297400012
  nsaccountlock: False
  has_password: True
  has_keytab: True
  ipauniqueid: 3b9d1f88-49de-11e2-b9cf-001a4a104e37
  krbextradata: AAIgvtFQa2FkbWluZEBJRE0uTEFCLkJPUy5SRURIQVQuQ09NAA==
  krblastpwdchange: 20121219131616Z
  krblastsuccessfulauth: 20121219131616Z
  krbloginfailedcount: 0
  krbpasswordexpiration: 19040330064800Z   <<<<<<<<<
  krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  krbticketflags: 128
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  mepmanagedentry: cn=fbar9,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  objectclass: top
  objectclass: person
  objectclass: organizationalperson
  objectclass: inetorgperson
  objectclass: inetuser
  objectclass: posixaccount
  objectclass: krbprincipalaux
  objectclass: krbticketpolicyaux
  objectclass: ipaobject
  objectclass: ipasshuser
  objectclass: ipaSshGroupOfPubKeys
  objectclass: mepOriginEntry

Note: Max lifetime set to 5000 works.

This is reproducible only if --maxlife is set to at least 9999 days = 27.39 years, which results into date beyond Tuesday, 19 January 2038 for password expiration with current dates.

See http://en.wikipedia.org/wiki/Year_2038_problem

This has the same cause as #3114

master: 0e8a329[[BR]]
ipa-3-1: 4d17b72

Metadata Update from @mkosek:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 3.2 - 2013/02
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
low
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=891977
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.