859510 – Expired IPA password changes fail if pwpolicy expiration time is changed after expiration

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 859510 - Expired IPA password changes fail if pwpolicy expiration time is changed after expiration

Summary: Expired IPA password changes fail if pwpolicy expiration time is changed afte...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-21 17:34 UTC by Nathan
Modified:	2014-06-18 00:03 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ipa-3.2.1-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 11:12:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Nathan 2012-09-21 17:34:51 UTC

Description of problem:
If IPA's password policy is set, and a password expires for an account.  If the password policy is changed such that the expired password would not have expired, the user is unable to change their password, and the account is unusable. 

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64

How reproducible:
Easily reproducible.

Steps to Reproduce:
1. Set password policy to expire passwords after 10 days,
2. Wait for a user to expire
3. kinit as another admin user after one user has expired, and change the pwpolicy to expire after 9999 days
4. attempt to kinit to an expired user
5. ipa will tell you that the password has expired, and it wont let you reset your password.

Error reported:
[root@ipaserver ~]# kinit admin
Password for admin.DOMAIN
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
kinit: Password has expired while getting initial credentials

Change the expiration back to 10 days, and users will be able to reset their passwords.
  
Actual results:
Unable to reset passwords which expired before the policy was extended.

Expected results:
Users should be able to reset their expired passwords regardless of what the expiration policy is.

Additional info:

Comment 2 Dmitri Pal 2012-09-24 14:16:08 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3114

Comment 4 Martin Kosek 2013-02-08 14:59:41 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/0e8a329048629f639ae64ff32e01e12a495e7763
ipa-3-1: https://fedorahosted.org/freeipa/changeset/4d17b7217256996c51b579504f47b9d1ef037f04

IPA Kerberos LDAP driver now caps krbPasswordExpiration time on 2038-01-01, i.e. a highest representable time in Kerberos. This fixes password change issues when password policy was set to a value setting expiration date after 2038-01-01.

Comment 7 Yi Zhang 2013-10-02 19:01:45 UTC

bug verified  (same as bug 891977)
[root@rh7c (RH7.0-x86_64) ipa-password] rpm -qa | grep ipa-server
ipa-server-3.3.1-5.el7.x86_64


automation in ipa-password test suite
bz_891977()
{       
    rlPhaseStartTest "Bug 891977 - Users cannot change their passwords after password expiry change"                                                                             
        rlLog "please note: bug 891977 is clone of 859510"                              
        local user=bz859510                                                             
        local grp=grp859510                                                             
        local small=1
        local big=10
        local initialPW="redhat_000"                                                    
        local newPW="redhat_001"                                                        
        local latestPW="redhat_002"                                                     
        # preparing test data 
        Local_KinitAsAdmin 
        echo $initialPW | ipa user-add $user --first "bug" --last "859510" --password   
        ipa group-add $grp --desc "group for 859510"
        ipa group-add-member $grp --user=$user
        ipa pwpolicy-add $grp --maxlife=$small --priority=6
        Local_FirstKinitAs $user $initialPW $newPW                                      
        # up to this step, user and group are created, user's password will expire in $small day 
        offset_system_time "+ $small * 24 * 3600"                                       
        Local_KinitAsAdmin
        ipa pwpolicy-mod $grp --maxlife=$big
        kinit_aftermaxlife $user $newPW $latestPW                                       
        rlLog "clean up test data"                                                      
        Local_KinitAsAdmin
        rlRun "ipa group-del $grp"                                                      
        rlRun "ipa user-del $user"                                                      
    rlPhaseEnd                                                                          
}

Comment 8 Ludek Smid 2014-06-13 11:12:31 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.