James Martin via FreeIPA-users wrote: > All, > > I just had a blip of downtime on some services recently caused by setting > "Max lifetime (days)" password policy to 20000 while troubleshooting another > much more minor issue. This caused services connecting to FreeIPA via LDAP to > fail with error code 49, with an explanation of "Password Expired". Needless > to say, none of our passwords are 20000 days old. Setting it back to 0, where > it was before, solved this issue. Authentication via Kerberos or passworded > SSH to enrolled hosts was unaffected. I did some searching on Pagure and > couldn't find any issues like this, so I wanted to report it.
Without knowing what version you are running it's a blind guess but IIRC some older releases, like really old, would overflow the time value with extremely large maxlife and display this behavior. In fact, the value was capped at exactly 20000 (~ 54 years) in 2013 to avoid this. So perhaps its time to reduce the max allowed value. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
