Red Hat Bugzilla – Bug 859510
Expired IPA password changes fail if pwpolicy expiration time is changed after expiration
Last modified: 2014-06-17 20:03:07 EDT
Description of problem:
If IPA's password policy is set, and a password expires for an account. If the password policy is changed such that the expired password would not have expired, the user is unable to change their password, and the account is unusable.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set password policy to expire passwords after 10 days,
2. Wait for a user to expire
3. kinit as another admin user after one user has expired, and change the pwpolicy to expire after 9999 days
4. attempt to kinit to an expired user
5. ipa will tell you that the password has expired, and it wont let you reset your password.
[root@ipaserver ~]# kinit admin
Password for admin@YOUR.KERBEROS.DOMAIN
Password expired. You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials
Change the expiration back to 10 days, and users will be able to reset their passwords.
Unable to reset passwords which expired before the policy was extended.
Users should be able to reset their expired passwords regardless of what the expiration policy is.
IPA Kerberos LDAP driver now caps krbPasswordExpiration time on 2038-01-01, i.e. a highest representable time in Kerberos. This fixes password change issues when password policy was set to a value setting expiration date after 2038-01-01.
bug verified (same as bug 891977)
[root@rh7c (RH7.0-x86_64) ipa-password] rpm -qa | grep ipa-server
automation in ipa-password test suite
rlPhaseStartTest "Bug 891977 - Users cannot change their passwords after password expiry change"
rlLog "please note: bug 891977 is clone of 859510"
# preparing test data
echo $initialPW | ipa user-add $user --first "bug" --last "859510" --password
ipa group-add $grp --desc "group for 859510"
ipa group-add-member $grp --user=$user
ipa pwpolicy-add $grp --maxlife=$small --priority=6
Local_FirstKinitAs $user $initialPW $newPW
# up to this step, user and group are created, user's password will expire in $small day
offset_system_time "+ $small * 24 * 3600"
ipa pwpolicy-mod $grp --maxlife=$big
kinit_aftermaxlife $user $newPW $latestPW
rlLog "clean up test data"
rlRun "ipa group-del $grp"
rlRun "ipa user-del $user"
This request was resolved in Red Hat Enterprise Linux 7.0.
Contact your manager or support representative in case you have further questions about the request.