subject:"\[Freeipa\-users\] Wrong time \/ constantly expired passwords"

Re: [Freeipa-users] Wrong time / constantly expired passwords

2015-10-30 Thread Rob Crittenden

urgrue wrote:
> Here are some examples:
> 
> [root@mule ~]# ipa user-status freddie
> ---
> Account disabled: False
> ---
>   Server: mule.bulb
>   Failed logins: 0
>   Last successful authentication: 2015-10-28T09:03:48Z
>   Last failed authentication: 2015-10-28T09:03:40Z
>   Time now: 2015-10-28T18:05:51Z
> 
> Number of entries returned 1
> 
> [root@mule ~]# ipa user-show freddie
>   User login: freddie
>   First name: fred
>   Last name: orispaa
>   Home directory: /home/freddie
>   Login shell: /bin/sh
>   UID: 50001
>   GID: 50001
>   Account disabled: False
>   Password: True
>   Member of groups: admins, ipausers
>   Indirect Member of Sudo rule: allow_all
>   Kerberos keys available: True
>   SSH public key fingerprint:
> DA:54:C4:27:3A:23:00:AE:AE:60:B7:1B:E1:E4:03:C5
>   freddie@mule (ssh-rsa)
> 
> With SSH:
> 
> [root@mule ~]$ ssh freddie@mule
> freddie@mule's password:
> Password expired. Change your password now.
> Last login: Wed Oct 28 10:03:44 2015 from 127.0.0.1
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user freddie.
> Current Password:
> New password:
> Retype new password:
> passwd: Authentication token is no longer valid; new one required
> Connection to mule closed.
> 
> (Now if I login again, the same process repeats, except the password has
> indeed changes)
> 
> With su the output is less informative:
> [jj@mule ~]$ su - freddie
> Password:
> Password expired. Change your password now.
> Current Password:
> New password:
> Retype new password:
> su: incorrect password
> 
> (the password was correct and it HAS changed even though the output
> implies I entered the wrong current password).
> 
> Doing kinit:
> 
> -sh-4.1$ id
> uid=50001(freddie) gid=50001(freddie) groups=50001(freddie),5(admins)
> -sh-4.1$ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)
> -sh-4.1$ kinit
> Password for freddie@BULB:
> Password expired.  You must change it now.
> Enter new password:
> Enter it again:
> kinit: Password has expired while getting initial credentials
> -sh-4.1$ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)
> 
> (again the password HAS changed)
> 
> In case it's of any relevance, note that root has no issue with kerberos
> credentials:
> [root@mule ~]# kinit admin
> Password for admin@BULB:
> [root@mule ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin@BULB
> 
> Valid starting ExpiresService principal
> 10/28/15 19:14:56  10/29/15 19:14:53  krbtgt/BULB@BULB

I don't see this as root vs other users, you are using a different
principal.

This makes me wonder if the password policy is strange.

You might also want to kinit as freddie and go through the password
reset again, then search LDAP for freddie's password expiration:

$ ldapsearch -Y GSSAPI -s base -b
uid=freddie,cn=users,cn=accounts,dc=example,dc=com krbPasswordExpiration

And check out freddie's password policy:

$ ipa pwpolicy-show --user freddie

rob

> 
> 
> 
> On Wed, Oct 28, 2015 at 2:44 PM, Rob Crittenden  > wrote:
> 
> urgrue wrote:
> > Didn't realize it was GMT, so OK that's not the issue. Any suggestions
> > on how to debug it? Everything looks OK, but passwords are just
> > perma-expired at all times.
> 
> Need more info on what you're seeing and how the passwords are being
> changed.
> 
> rob
> 
> >
> >
> > On Tue, Oct 27, 2015, 21:45 Rob Crittenden  
> > >> wrote:
> >
> > urgrue wrote:
> > > Hi,
> > > On a new install, I'm being forced a password reset on every
> > login. Not
> > > sure why but this doesn't look right:
> > >
> > > # date
> > > Tue Oct 27 21:02:57 CET 2015
> > >
> > > # ipa user-status blah1
> > > 
> > >   Last successful authentication: 2015-10-27T19:34:53Z
> > >   Last failed authentication: 2015-10-27T19:34:20Z
> > >   Time now: 2015-10-27T20:03:00Z
> > >
> > > Where is it getting this wrong time from?
> >
> > What's wrong with the time? CET is one hour behind GMT right?
> That is
> > reflected by the difference between the output of date and
> "Time now".
> >
> > Passwords administratively reset must be set by the user
> during the
> > first authentication. If the password needs further reset then
> yeah,
> > something is wrong, but the above looks ok.
> >
> > rob
> >
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to

Re: [Freeipa-users] Wrong time / constantly expired passwords

2015-10-28 Thread Rob Crittenden

urgrue wrote:
> Didn't realize it was GMT, so OK that's not the issue. Any suggestions
> on how to debug it? Everything looks OK, but passwords are just
> perma-expired at all times.

Need more info on what you're seeing and how the passwords are being
changed.

rob

> 
> 
> On Tue, Oct 27, 2015, 21:45 Rob Crittenden  > wrote:
> 
> urgrue wrote:
> > Hi,
> > On a new install, I'm being forced a password reset on every
> login. Not
> > sure why but this doesn't look right:
> >
> > # date
> > Tue Oct 27 21:02:57 CET 2015
> >
> > # ipa user-status blah1
> > 
> >   Last successful authentication: 2015-10-27T19:34:53Z
> >   Last failed authentication: 2015-10-27T19:34:20Z
> >   Time now: 2015-10-27T20:03:00Z
> >
> > Where is it getting this wrong time from?
> 
> What's wrong with the time? CET is one hour behind GMT right? That is
> reflected by the difference between the output of date and "Time now".
> 
> Passwords administratively reset must be set by the user during the
> first authentication. If the password needs further reset then yeah,
> something is wrong, but the above looks ok.
> 
> rob
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Wrong time / constantly expired passwords

2015-10-28 Thread urgrue

Here are some examples:

[root@mule ~]# ipa user-status freddie
---
Account disabled: False
---
  Server: mule.bulb
  Failed logins: 0
  Last successful authentication: 2015-10-28T09:03:48Z
  Last failed authentication: 2015-10-28T09:03:40Z
  Time now: 2015-10-28T18:05:51Z

Number of entries returned 1

[root@mule ~]# ipa user-show freddie
  User login: freddie
  First name: fred
  Last name: orispaa
  Home directory: /home/freddie
  Login shell: /bin/sh
  UID: 50001
  GID: 50001
  Account disabled: False
  Password: True
  Member of groups: admins, ipausers
  Indirect Member of Sudo rule: allow_all
  Kerberos keys available: True
  SSH public key fingerprint:
DA:54:C4:27:3A:23:00:AE:AE:60:B7:1B:E1:E4:03:C5
  freddie@mule (ssh-rsa)

With SSH:

[root@mule ~]$ ssh freddie@mule
freddie@mule's password:
Password expired. Change your password now.
Last login: Wed Oct 28 10:03:44 2015 from 127.0.0.1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user freddie.
Current Password:
New password:
Retype new password:
passwd: Authentication token is no longer valid; new one required
Connection to mule closed.

(Now if I login again, the same process repeats, except the password has
indeed changes)

With su the output is less informative:
[jj@mule ~]$ su - freddie
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
su: incorrect password

(the password was correct and it HAS changed even though the output implies
I entered the wrong current password).

Doing kinit:

-sh-4.1$ id
uid=50001(freddie) gid=50001(freddie) groups=50001(freddie),5(admins)
-sh-4.1$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)
-sh-4.1$ kinit
Password for freddie@BULB:
Password expired.  You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials
-sh-4.1$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_50001)

(again the password HAS changed)

In case it's of any relevance, note that root has no issue with kerberos
credentials:
[root@mule ~]# kinit admin
Password for admin@BULB:
[root@mule ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@BULB

Valid starting ExpiresService principal
10/28/15 19:14:56  10/29/15 19:14:53  krbtgt/BULB@BULB



On Wed, Oct 28, 2015 at 2:44 PM, Rob Crittenden  wrote:

> urgrue wrote:
> > Didn't realize it was GMT, so OK that's not the issue. Any suggestions
> > on how to debug it? Everything looks OK, but passwords are just
> > perma-expired at all times.
>
> Need more info on what you're seeing and how the passwords are being
> changed.
>
> rob
>
> >
> >
> > On Tue, Oct 27, 2015, 21:45 Rob Crittenden  > > wrote:
> >
> > urgrue wrote:
> > > Hi,
> > > On a new install, I'm being forced a password reset on every
> > login. Not
> > > sure why but this doesn't look right:
> > >
> > > # date
> > > Tue Oct 27 21:02:57 CET 2015
> > >
> > > # ipa user-status blah1
> > > 
> > >   Last successful authentication: 2015-10-27T19:34:53Z
> > >   Last failed authentication: 2015-10-27T19:34:20Z
> > >   Time now: 2015-10-27T20:03:00Z
> > >
> > > Where is it getting this wrong time from?
> >
> > What's wrong with the time? CET is one hour behind GMT right? That is
> > reflected by the difference between the output of date and "Time
> now".
> >
> > Passwords administratively reset must be set by the user during the
> > first authentication. If the password needs further reset then yeah,
> > something is wrong, but the above looks ok.
> >
> > rob
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Wrong time / constantly expired passwords

2015-10-27 Thread urgrue

Hi,
On a new install, I'm being forced a password reset on every login. Not
sure why but this doesn't look right:

# date
Tue Oct 27 21:02:57 CET 2015

# ipa user-status blah1

  Last successful authentication: 2015-10-27T19:34:53Z
  Last failed authentication: 2015-10-27T19:34:20Z
  Time now: 2015-10-27T20:03:00Z

Where is it getting this wrong time from?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Wrong time / constantly expired passwords

2015-10-27 Thread Rob Crittenden

urgrue wrote:
> Hi,
> On a new install, I'm being forced a password reset on every login. Not
> sure why but this doesn't look right:
> 
> # date
> Tue Oct 27 21:02:57 CET 2015
> 
> # ipa user-status blah1
> 
>   Last successful authentication: 2015-10-27T19:34:53Z
>   Last failed authentication: 2015-10-27T19:34:20Z
>   Time now: 2015-10-27T20:03:00Z
> 
> Where is it getting this wrong time from?

What's wrong with the time? CET is one hour behind GMT right? That is
reflected by the difference between the output of date and "Time now".

Passwords administratively reset must be set by the user during the
first authentication. If the password needs further reset then yeah,
something is wrong, but the above looks ok.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Wrong time / constantly expired passwords

2015-10-27 Thread urgrue

Didn't realize it was GMT, so OK that's not the issue. Any suggestions on
how to debug it? Everything looks OK, but passwords are just perma-expired
at all times.

On Tue, Oct 27, 2015, 21:45 Rob Crittenden  wrote:

> urgrue wrote:
> > Hi,
> > On a new install, I'm being forced a password reset on every login. Not
> > sure why but this doesn't look right:
> >
> > # date
> > Tue Oct 27 21:02:57 CET 2015
> >
> > # ipa user-status blah1
> > 
> >   Last successful authentication: 2015-10-27T19:34:53Z
> >   Last failed authentication: 2015-10-27T19:34:20Z
> >   Time now: 2015-10-27T20:03:00Z
> >
> > Where is it getting this wrong time from?
>
> What's wrong with the time? CET is one hour behind GMT right? That is
> reflected by the difference between the output of date and "Time now".
>
> Passwords administratively reset must be set by the user during the
> first authentication. If the password needs further reset then yeah,
> something is wrong, but the above looks ok.
>
> rob
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Wrong time / constantly expired passwords

Re: [Freeipa-users] Wrong time / constantly expired passwords

Re: [Freeipa-users] Wrong time / constantly expired passwords

[Freeipa-users] Wrong time / constantly expired passwords

Re: [Freeipa-users] Wrong time / constantly expired passwords

Re: [Freeipa-users] Wrong time / constantly expired passwords

6 matches

Site Navigation

Mail list logo

Footer information