Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2807

Please provide the exact steps on how it happens if you set it to something and then reset.

To be clear, you're saying that the password is rejected, but if you set it to something else, then try again to set it to the previously rejected password, it works?

Can you check the 389-ds-base error log to see if it has any additional information?

test data: "p@^C00žX@1"

== test 1 ==

1. as admin, create ipa user "tuser01" , assign no password
ipa user-add tuser01 --first test --last 01

2. as admin, assign initial password "redhat"
ipa passwd tuser01

3. do kinit as user tuser01
[yi@fig (RH6.3-x86_64) ipa-password] kinit tuser01
Password for tuser01.COM:    <<---- <enter "redhat" here>
Password expired.  You must change it now. <<---- <enter "p@^C00žX@1" here>
Enter new password:                        <<---- <enter "p@^C00žX@1" here>
Enter it again: 
Password change rejected: Password not changed.
Kerberos database constraints violated while trying to change password.
.  Please try again.


== test 2 ==
1. as admin, change global password policy , set minclasses to < 5 
ipa-password] ipa pwpolicy-mod --minclasses=2 --minlife=0 --history=0

2. as admin, create ipa user "tuser02", assign no password
ipa user-add tuser02 --first test --last 02

2. as admin, assign initial password "redhat"
ipa passwd tuser02

3. as tuser02, do kinit (this is first time kinit), change password to "redhat001"
[yi@fig (RH6.3-x86_64) ipa-password] kinit tuser02
Password for tuser02.COM:       <<--- enter "redhat"
Password expired.  You must change it now.
Enter new password:                          <<--- enter "redhat001"
Enter it again:                              <<--- enter "redhat001"

4. as admin, change minclasses to 5
ipa pwpolicy-mod --minclasses=5

5. as tuser02, change password from "redhat001" to "p@^C00žX@1" -- this is success
[yi@fig (RH6.3-x86_64) ipa-password] kinit tuser02
Password for tuser02.COM:      <<---- enter "redhat001"
Password expired.  You must change it now.
Enter new password:                          <<---- enter "p@^C00žX@1"
Enter it again:                              <<---- enter "p@^C00žX@1"


==================== conclusion ===================
(1) test 2 proves: after kinit at first time, use 8-bit string as password is allowed. the feature works as design

(2) test 1 proves: use 8-bit string as password at first kinit fails -- this is not expected. 

(3) i see no error msg in dirsrv log file, no error msg in httpd log file, no error msg in krb5kdc file

(4) test 1 always fails regardless what are current password policy setting. i tried use "minclasses=5" "minclasses=1", the test results are the same.

sorry, i post my test percedure so soon.

for test 2, i have two "step 2", this is just a mis-label. the overall order and logic is correct.

I still don't understand, it seems like you are comparing apples and oranges. What is the password policy when setting the password for tuser01?

regardless the password policy setting, test 1 always fails. 

the rejection of 8-bit string as password only happenes when user do kinit at frist time. 

the purpose of test 2 is to show that after the very first kinit, 8-bit string does allow to be used as password.

Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as WONTFIX. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.