On 02/25/2013 04:38 PM, Brian Smith wrote: > It seems that regardless of the global password expiry setting, that setting a > password via the methods > > user-add > passwd > > i will always have a password that expires in 90 days. I followed the > instructions here http://freeipa.org/page/PasswordSynchronization > > to avoid the immediate expiry, but I need at least 180 days for my > configuration to work. > > Any help would be appreciated! > > -- > Brian Smith > Assistant Director > Research Computing, University of South Florida > 4202 E. Fowler Ave. SVC4010 > Office Phone: +1 813 974-1467 > Organization URL: http://rc.usf.edu >
Hello Brian, Updating maximum password expiration time with "ipa pwpolicy-mod" affects only new passwords, i.e. password that you already changed will have the old lifetime. When I tested this on Fedora 18, password change worked for me: # ipa pwpolicy-mod --maxlife 180 Group: global_policy Max lifetime (days): 180 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 # ipa user-add --first=Foo --last=Bar fbar ----------------- Added user "fbar" ----------------- User login: fbar First name: Foo Last name: Bar Full name: Foo Bar Display name: Foo Bar Initials: FB Home directory: /home/fbar GECOS field: Foo Bar Login shell: /bin/sh Kerberos principal: f...@example.com Email address: f...@example.com UID: 1758200001 GID: 1758200001 Password: False Member of groups: ipausers Kerberos keys available: False # ipa passwd fbar New Password: Enter New Password again to verify: --------------------------------------- Changed password for "f...@example.com" --------------------------------------- $ ssh f...@ipa.client.fqdn f...@ipa.client.fqdn's password: Password expired. Change your password now. Last login: Tue Feb 26 09:16:39 2013 from 10.0.0.1 WARNING: Your password has expired. You must change your password now and login again! Changing password for user fbar. Current Password: New password: Retype new password: Your password will expire in 180 day(s). <<<<<<<<<<<<<<< passwd: all authentication tokens updated successfully. Connection to ipa.client.fqdn closed. Does this usecase work for you or are you hitting a bug? As for the warning about expiring password, this is a bug in sssd component which was already fixed upstream: https://fedorahosted.org/sssd/ticket/1808 Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users