Here are some examples: [root@mule ~]# ipa user-status freddie ----------------------- Account disabled: False ----------------------- Server: mule.bulb Failed logins: 0 Last successful authentication: 2015-10-28T09:03:48Z Last failed authentication: 2015-10-28T09:03:40Z Time now: 2015-10-28T18:05:51Z ---------------------------- Number of entries returned 1 ---------------------------- [root@mule ~]# ipa user-show freddie User login: freddie First name: fred Last name: orispaa Home directory: /home/freddie Login shell: /bin/sh UID: 50001 GID: 50001 Account disabled: False Password: True Member of groups: admins, ipausers Indirect Member of Sudo rule: allow_all Kerberos keys available: True SSH public key fingerprint: DA:54:C4:27:3A:23:00:AE:AE:60:B7:1B:E1:E4:03:C5 freddie@mule (ssh-rsa)
With SSH: [root@mule ~]$ ssh freddie@mule freddie@mule's password: Password expired. Change your password now. Last login: Wed Oct 28 10:03:44 2015 from 127.0.0.1 WARNING: Your password has expired. You must change your password now and login again! Changing password for user freddie. Current Password: New password: Retype new password: passwd: Authentication token is no longer valid; new one required Connection to mule closed. (Now if I login again, the same process repeats, except the password has indeed changes) With su the output is less informative: [jj@mule ~]$ su - freddie Password: Password expired. Change your password now. Current Password: New password: Retype new password: su: incorrect password (the password was correct and it HAS changed even though the output implies I entered the wrong current password). Doing kinit: -sh-4.1$ id uid=50001(freddie) gid=50001(freddie) groups=50001(freddie),50000(admins) -sh-4.1$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001) -sh-4.1$ kinit Password for freddie@BULB: Password expired. You must change it now. Enter new password: Enter it again: kinit: Password has expired while getting initial credentials -sh-4.1$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001) (again the password HAS changed) In case it's of any relevance, note that root has no issue with kerberos credentials: [root@mule ~]# kinit admin Password for admin@BULB: [root@mule ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@BULB Valid starting Expires Service principal 10/28/15 19:14:56 10/29/15 19:14:53 krbtgt/BULB@BULB On Wed, Oct 28, 2015 at 2:44 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > urgrue wrote: > > Didn't realize it was GMT, so OK that's not the issue. Any suggestions > > on how to debug it? Everything looks OK, but passwords are just > > perma-expired at all times. > > Need more info on what you're seeing and how the passwords are being > changed. > > rob > > > > > > > On Tue, Oct 27, 2015, 21:45 Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>> wrote: > > > > urgrue wrote: > > > Hi, > > > On a new install, I'm being forced a password reset on every > > login. Not > > > sure why but this doesn't look right: > > > > > > # date > > > Tue Oct 27 21:02:57 CET 2015 > > > > > > # ipa user-status blah1 > > > <snip> > > > Last successful authentication: 2015-10-27T19:34:53Z > > > Last failed authentication: 2015-10-27T19:34:20Z > > > Time now: 2015-10-27T20:03:00Z > > > > > > Where is it getting this wrong time from? > > > > What's wrong with the time? CET is one hour behind GMT right? That is > > reflected by the difference between the output of date and "Time > now". > > > > Passwords administratively reset must be set by the user during the > > first authentication. If the password needs further reset then yeah, > > something is wrong, but the above looks ok. > > > > rob > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project