Bug 796641

Summary: krbpasswordexpiration field in LDAP can not have value >= 20380119031408Z
Product: [Retired] freeIPA Reporter: Joaquin <narebeestjes>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED DEFERRED QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: unspecified    
Version: 2.1CC: dpal, jgalipea, mkosek, rmainz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 797333 (view as bug list) Environment:
Last Closed: 2015-01-21 12:31:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 797333    

Description Joaquin 2012-02-23 11:32:11 UTC 
Description of problem:
kinit fails with the message:

kinit: ASN.1 failed call to system time library while getting initial
credentials

Or (krbpasswordexpiration == 20380119031408Z) tels you to change your password:
Password expired.  You must change it now.
Enter new password:



Version-Release number of selected component (if applicable):
krb5-server-1.9.2-6.fc16.x86_64
krb5-workstation-1.9.2-6.fc16.x86_64
freeipa-server-2.1.4-5.fc16.x86_64
389-ds-base-1.2.10-0.10.rc1.fc16.x86_64

How reproducible:
- 
- use "kinit <user>"



Steps to Reproduce:
1.
Use ldapmodify to change the value of "krbpasswordexpiration" to 20380119031408Z "<user>"

2. 
Use "kinit <user>" to get a ticket

3. repeat steps 1 and 2 with a value larger than 20380119031408Z

4. repeat steps 1 and 2 with a valu of 20380119031407Z or lower
  
Actual results:
2.
Password expired.  You must change it now.

3.
kinit: ASN.1 failed call to system time library while getting initial
credentials


Expected results:
- like in the case 4.
ticket granted, klist lists the ticket

Additional info:
Comment 1 Dmitri Pal 2012-02-26 17:55:36 UTC 
Please use https://bugzilla.redhat.com/show_bug.cgi?id=797333 for further communication about this issue.
Comment 3 Martin Kosek 2015-01-21 12:31:31 UTC 
Thank you taking your time and submitting this request for FreeIPA in Fedora. Unfortunately, this bug was not given a priority and was deferred both in Fedora and in the upstream FreeIPA project.

Given that we are unable to fulfill this request in following Fedora releases, I am closing the Bugzilla as DEFERRED. To request re-consideration of this decision please reopen this Bugzilla and provide additional technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.