Bug 859510 - Expired IPA password changes fail if pwpolicy expiration time is changed after expiration
Expired IPA password changes fail if pwpolicy expiration time is changed afte...
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
Depends On:
  Show dependency treegraph
Reported: 2012-09-21 13:34 EDT by Nathan
Modified: 2014-06-17 20:03 EDT (History)
3 users (show)

See Also:
Fixed In Version: ipa-3.2.1-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-06-13 07:12:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Nathan 2012-09-21 13:34:51 EDT
Description of problem:
If IPA's password policy is set, and a password expires for an account.  If the password policy is changed such that the expired password would not have expired, the user is unable to change their password, and the account is unusable. 

Version-Release number of selected component (if applicable):

How reproducible:
Easily reproducible.

Steps to Reproduce:
1. Set password policy to expire passwords after 10 days,
2. Wait for a user to expire
3. kinit as another admin user after one user has expired, and change the pwpolicy to expire after 9999 days
4. attempt to kinit to an expired user
5. ipa will tell you that the password has expired, and it wont let you reset your password.

Error reported:
[root@ipaserver ~]# kinit admin
Password for admin@YOUR.KERBEROS.DOMAIN
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
kinit: Password has expired while getting initial credentials

Change the expiration back to 10 days, and users will be able to reset their passwords.
Actual results:
Unable to reset passwords which expired before the policy was extended.

Expected results:
Users should be able to reset their expired passwords regardless of what the expiration policy is.

Additional info:
Comment 2 Dmitri Pal 2012-09-24 10:16:08 EDT
Upstream ticket:
Comment 4 Martin Kosek 2013-02-08 09:59:41 EST
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/0e8a329048629f639ae64ff32e01e12a495e7763
ipa-3-1: https://fedorahosted.org/freeipa/changeset/4d17b7217256996c51b579504f47b9d1ef037f04

IPA Kerberos LDAP driver now caps krbPasswordExpiration time on 2038-01-01, i.e. a highest representable time in Kerberos. This fixes password change issues when password policy was set to a value setting expiration date after 2038-01-01.
Comment 7 Yi Zhang 2013-10-02 15:01:45 EDT
bug verified  (same as bug 891977)
[root@rh7c (RH7.0-x86_64) ipa-password] rpm -qa | grep ipa-server

automation in ipa-password test suite
    rlPhaseStartTest "Bug 891977 - Users cannot change their passwords after password expiry change"                                                                             
        rlLog "please note: bug 891977 is clone of 859510"                              
        local user=bz859510                                                             
        local grp=grp859510                                                             
        local small=1
        local big=10
        local initialPW="redhat_000"                                                    
        local newPW="redhat_001"                                                        
        local latestPW="redhat_002"                                                     
        # preparing test data 
        echo $initialPW | ipa user-add $user --first "bug" --last "859510" --password   
        ipa group-add $grp --desc "group for 859510"
        ipa group-add-member $grp --user=$user
        ipa pwpolicy-add $grp --maxlife=$small --priority=6
        Local_FirstKinitAs $user $initialPW $newPW                                      
        # up to this step, user and group are created, user's password will expire in $small day 
        offset_system_time "+ $small * 24 * 3600"                                       
        ipa pwpolicy-mod $grp --maxlife=$big
        kinit_aftermaxlife $user $newPW $latestPW                                       
        rlLog "clean up test data"                                                      
        rlRun "ipa group-del $grp"                                                      
        rlRun "ipa user-del $user"                                                      
Comment 8 Ludek Smid 2014-06-13 07:12:31 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.