Red Hat Bugzilla – Bug 859510
Expired IPA password changes fail if pwpolicy expiration time is changed after expiration
Last modified: 2014-06-17 20:03:07 EDT
Description of problem: If IPA's password policy is set, and a password expires for an account. If the password policy is changed such that the expired password would not have expired, the user is unable to change their password, and the account is unusable. Version-Release number of selected component (if applicable): ipa-server-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 How reproducible: Easily reproducible. Steps to Reproduce: 1. Set password policy to expire passwords after 10 days, 2. Wait for a user to expire 3. kinit as another admin user after one user has expired, and change the pwpolicy to expire after 9999 days 4. attempt to kinit to an expired user 5. ipa will tell you that the password has expired, and it wont let you reset your password. Error reported: [root@ipaserver ~]# kinit admin Password for admin@YOUR.KERBEROS.DOMAIN Password expired. You must change it now. Enter new password: Enter it again: kinit: Password has expired while getting initial credentials Change the expiration back to 10 days, and users will be able to reset their passwords. Actual results: Unable to reset passwords which expired before the policy was extended. Expected results: Users should be able to reset their expired passwords regardless of what the expiration policy is. Additional info:
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3114
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/0e8a329048629f639ae64ff32e01e12a495e7763 ipa-3-1: https://fedorahosted.org/freeipa/changeset/4d17b7217256996c51b579504f47b9d1ef037f04 IPA Kerberos LDAP driver now caps krbPasswordExpiration time on 2038-01-01, i.e. a highest representable time in Kerberos. This fixes password change issues when password policy was set to a value setting expiration date after 2038-01-01.
bug verified (same as bug 891977) [root@rh7c (RH7.0-x86_64) ipa-password] rpm -qa | grep ipa-server ipa-server-3.3.1-5.el7.x86_64 automation in ipa-password test suite bz_891977() { rlPhaseStartTest "Bug 891977 - Users cannot change their passwords after password expiry change" rlLog "please note: bug 891977 is clone of 859510" local user=bz859510 local grp=grp859510 local small=1 local big=10 local initialPW="redhat_000" local newPW="redhat_001" local latestPW="redhat_002" # preparing test data Local_KinitAsAdmin echo $initialPW | ipa user-add $user --first "bug" --last "859510" --password ipa group-add $grp --desc "group for 859510" ipa group-add-member $grp --user=$user ipa pwpolicy-add $grp --maxlife=$small --priority=6 Local_FirstKinitAs $user $initialPW $newPW # up to this step, user and group are created, user's password will expire in $small day offset_system_time "+ $small * 24 * 3600" Local_KinitAsAdmin ipa pwpolicy-mod $grp --maxlife=$big kinit_aftermaxlife $user $newPW $latestPW rlLog "clean up test data" Local_KinitAsAdmin rlRun "ipa group-del $grp" rlRun "ipa user-del $user" rlPhaseEnd }
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.