Bug 859510

Summary: Expired IPA password changes fail if pwpolicy expiration time is changed after expiration
Product: Red Hat Enterprise Linux 7 Reporter: Nathan <lagern>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED CURRENTRELEASE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.0CC: dpal, jgalipea, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.2.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:12:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nathan 2012-09-21 17:34:51 UTC 
Description of problem:
If IPA's password policy is set, and a password expires for an account.  If the password policy is changed such that the expired password would not have expired, the user is unable to change their password, and the account is unusable. 

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64

How reproducible:
Easily reproducible.

Steps to Reproduce:
1. Set password policy to expire passwords after 10 days,
2. Wait for a user to expire
3. kinit as another admin user after one user has expired, and change the pwpolicy to expire after 9999 days
4. attempt to kinit to an expired user
5. ipa will tell you that the password has expired, and it wont let you reset your password.

Error reported:
[root@ipaserver ~]# kinit admin
Password for admin.DOMAIN
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
kinit: Password has expired while getting initial credentials

Change the expiration back to 10 days, and users will be able to reset their passwords.
  
Actual results:
Unable to reset passwords which expired before the policy was extended.

Expected results:
Users should be able to reset their expired passwords regardless of what the expiration policy is.

Additional info:
Comment 2 Dmitri Pal 2012-09-24 14:16:08 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3114
Comment 4 Martin Kosek 2013-02-08 14:59:41 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/0e8a329048629f639ae64ff32e01e12a495e7763
ipa-3-1: https://fedorahosted.org/freeipa/changeset/4d17b7217256996c51b579504f47b9d1ef037f04

IPA Kerberos LDAP driver now caps krbPasswordExpiration time on 2038-01-01, i.e. a highest representable time in Kerberos. This fixes password change issues when password policy was set to a value setting expiration date after 2038-01-01.
Comment 7 Yi Zhang 2013-10-02 19:01:45 UTC 
bug verified  (same as bug 891977)
[root@rh7c (RH7.0-x86_64) ipa-password] rpm -qa | grep ipa-server
ipa-server-3.3.1-5.el7.x86_64


automation in ipa-password test suite
bz_891977()
{       
    rlPhaseStartTest "Bug 891977 - Users cannot change their passwords after password expiry change"                                                                             
        rlLog "please note: bug 891977 is clone of 859510"                              
        local user=bz859510                                                             
        local grp=grp859510                                                             
        local small=1
        local big=10
        local initialPW="redhat_000"                                                    
        local newPW="redhat_001"                                                        
        local latestPW="redhat_002"                                                     
        # preparing test data 
        Local_KinitAsAdmin 
        echo $initialPW | ipa user-add $user --first "bug" --last "859510" --password   
        ipa group-add $grp --desc "group for 859510"
        ipa group-add-member $grp --user=$user
        ipa pwpolicy-add $grp --maxlife=$small --priority=6
        Local_FirstKinitAs $user $initialPW $newPW                                      
        # up to this step, user and group are created, user's password will expire in $small day 
        offset_system_time "+ $small * 24 * 3600"                                       
        Local_KinitAsAdmin
        ipa pwpolicy-mod $grp --maxlife=$big
        kinit_aftermaxlife $user $newPW $latestPW                                       
        rlLog "clean up test data"                                                      
        Local_KinitAsAdmin
        rlRun "ipa group-del $grp"                                                      
        rlRun "ipa user-del $user"                                                      
    rlPhaseEnd                                                                          
}
Comment 8 Ludek Smid 2014-06-13 11:12:31 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.