Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 971303
Description of problem: The documentation in 5.4. Changing Passwords of Identity Management Guide https ://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-s ingle/Identity_Management_Guide/index.html#changing-pwds says: Changing a password as the IdM admin user overrides any IdM password policies, but the password expires immediately. This requires the user to change the password at the next login. However, there seems to be a one second race condition when this is not true -- either the expiration is set in the future or the expiration is incorrectly compared. Version-Release number of selected component (if applicable): # rpm -qf /usr/bin/ipa /usr/bin/kinit ipa-admintools-3.0.0-25.el6.x86_64 krb5-workstation-1.10.3-10.el6.x86_64 How reproducible: Not deterministic but on fast machine very probable. Steps to Reproduce: 1. kinit as admin so that ipa user-add passes. 2. Set environment variable to yet nonexistent IPA user: export GUSER=test1 3. Run the following script: date ( echo initpass ; echo initpass ) | ipa user-add $GUSER --first X --last Y --password echo fk8hAfT7i | kinit $GUSER klist date Actual results: Thu Jun 6 04:54:11 EDT 2013 ------------------ Added user "test1" ------------------ User login: test1 First name: X Last name: Y Full name: X Y Display name: X Y Initials: XY Home directory: /home/test1 GECOS field: X Y Login shell: /bin/sh Kerberos principal: test1@TESTRELM.COM Email address: test1@testrelm.com UID: 835400026 GID: 835400026 Password: True Kerberos keys available: True Password for test1@TESTRELM.COM: Warning: Your password will expire in less than one hour on Thu Jun 6 04:54:11 2013 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: test1@TESTRELM.COM Valid starting Expires Service principal 06/06/13 04:54:11 06/07/13 04:54:11 krbtgt/TESTRELM.COM@TESTRELM.COM Thu Jun 6 04:54:11 EDT 2013 Note that the Warning message says that the password "will" expire in 04:54:11 when it already is 04:54:11, and we were able to kinit without changing the password. Sometimes the Warning message is not even shown. Expected results: Kerberos keys available: True Password for test1@TESTRELM.COM: Password expired. You must change it now. Enter new password: kinit: Cannot read password while getting initial credentials Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@TESTRELM.COM which is what you get when sleep 1 is added between that user-add and kinit. Additional info: When the commands are run by a human, there will likely always be one second between the two events. But in automated / scripted environments, this nondeterminism is not that great and it possibly reveals some issue with the timestamp calculations.
As per Simo's advice in linked Bugzilla:
Given kerberos allows for clock skews of 5 minutes, we could use that as a 'standard' skew and set the expiration back 5 minutes. This would certainly avoid any race and also tools running on a different machine directly checking the expiartion time attribute for whatever reason (monitoring, notifying, ...) would not be fooled.
Might be a dup #1064. Investigate in 3.2.
I tested with 3.1.4 and this is indeed a duplicate of #1064:
# echo Secret123 |kinit admin ; echo reset_pwd | ipa passwd testuser ; echo -e 'reset_pwd\nnew_pwd123\nnew_pwd123' | kinit testuser Password for admin@IDM.LAB.BOS.REDHAT.COM: ------------------------------------------------------ Changed password for "testuser@IDM.LAB.BOS.REDHAT.COM" ------------------------------------------------------ Password for testuser@IDM.LAB.BOS.REDHAT.COM: Password expired. You must change it now. Enter new password: Enter it again:
I always got the prompt for new password.
Closing the ticket as duplicate of #1064.
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.2.x - 2013/06 (bug fixing)
Login to comment on this ticket.