7

We have a FreeIPA-based system, admin's password has expired and needs to be changed but the standard password changing procedure over SSH fails:

sashka@cellar ~ ssh admin@ipa.xxxxxxxxxx.com
admin@ipa.xxxxxxxxxx.com's password: 
Password expired. Change your password now.
Last failed login: Mon Jun 30 15:38:21 MSK 2014 from 116.10.191.195 on ssh:notty
There were 6071 failed login attempts since the last successful login.
Last login: Wed Apr 16 19:28:54 2014
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user admin.
Current Password: 
New password: 
Retype new password: 
Password change failed. Server message: Current password's minimum life has not expired

Password not changed.
passwd: Authentication token manipulation error
Connection to ipa.xxxxxxxxxx.com closed.

If we try to change the password using passwd it fails too with the same error message:

[admin@ipa ~]$ passwd
Changing password for user admin.
Current Password: 
New password: 
Retype new password: 
Password change failed. Server message: Current password's minimum life has not expired

Password not changed.
passwd: Authentication token manipulation error
[admin@ipa ~]$

What should we do to resolve this situation?

Alex
  • 7,789
  • 4
  • 36
  • 51

1 Answers1

7

It sounds like you have somehow created a password policy with a minimum password life longer than the maximum password life.

Remember that the maximum is specified in days while the minimum is specified in hours. If you mix these up, then it's easy to do this.

To confirm it, check the existing password policy:

ipa pwpolicy-find

ipa pwpolicy-show global_policy

Log in with a second admin account and change the password policy.

For instance, to set a minimum life of 7 days and a maximum life of 90 days:

From the command line:

ipa pwpolicy-mod global_policy --minlife 168 --maxlife 90

From the web UI:

Change IPA password policy Web UI

The minimum life can also be set to zero to disable it.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Do these settings apply back to accounts which were created prior to policy modification? My current global password policy is 900 days of max lifetime and 2400 hours of min lifetime. I think the admin account had a default max lifetime of 90 days initially. So if it was remembered on account creation and not synchronized later when we set a new max lifetime the old max got lower than the new min! – Alex Jun 30 '14 at 16:49
  • The policy should take effect immediately. I'm not sure what's going on with your admin account. And that's really a quite long minimum lifetime. 100 days without being able to change a password seems rather excessive... – Michael Hampton Jun 30 '14 at 16:53