On 10/02/15 07:44, Dmitri Pal wrote:
On 02/09/2015 05:35 PM, Roderick Johnstone wrote:
Hi
I seem to have locked myself out of my ipa admin account (on RHEL
6.6). This is an evaluation instance so not too big a deal, but a good
learning experience. I suspect its some changes that I made to the
password policy that caused this.
The admin account has expired and I'm trying to reset the password
like this:
# kadmin.local
Authenticating as principal root/admin@REALM with password.
kadmin.local: change_password admin@REALM
Enter password for principal "admin@REALM":
Re-enter password for principal "admin@REALM":
Password for "admin@REALM" changed.
kadmin.local: q
where REALM is my realm.
Then when I try to authenticate as admin:
# kinit admin
Password for admin@REALM:
Password expired. You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials
and the password is not reset.
This is what the password policy looks like at the moment:
kadmin.local: get_policy global_policy
Policy: global_policy
Maximum password life: 864000000
Minimum password life: 0
Minimum password length: 8
Minimum number of password character classes: 0
Number of old keys kept: 0
Reference count: 0
Maximum password failures before lockout: 6
Password failure count reset interval: 0 days 00:01:00
Password lockout duration: 0 days 00:10:00
I'm trying to set this back to the defaults in the hope that this
allows me to reset the admin password properly, but I'm getting eg:
kadmin.local: modify_policy -maxlife "90 days" global_policy
modify_policy: Plugin does not support the operation while modifying
policy "global_policy".
Am I on the right track to fixing the admin password problem?
What am I doing wrong in trying to repair the password policy?
Actually when I do the following it looks strange that Policy is set
to none, but maybe this is a red herring:
kadmin.local: get_principal admin
Principal: admin@REALM
Expiration date: [never]
Last password change: Mon Feb 09 18:28:09 GMT 2015
Password expiration date: Tue May 22 11:59:53 GMT 1906
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind@REALM)
Last successful authentication: Mon Feb 09 18:27:00 GMT 2015
Last failed authentication: Mon Feb 09 18:25:24 GMT 2015
Failed password attempts: 0
Number of keys: 4
Key: vno 16, aes256-cts-hmac-sha1-96, Version 5
Key: vno 16, aes128-cts-hmac-sha1-96, Version 5
Key: vno 16, des3-cbc-sha1, Version 5
Key: vno 16, arcfour-hmac, Version 5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
Thanks for any help in diagnosing this issue or fixing it.
Roderick Johnstone
Did you set password expiration for admin manually?
ok, as far as I remember, I originally changed the global_policy and
then encountered the problem described above. ie I couldn't authenticate
as admin using:
kinit admin
In trying to resolve this I found a thread that suggested to change the
admin password with:
ldappasswd -x -D 'cn=directory manager' -W -S
uid=admin,cn=users,cn=accounts,dc=xxx,dc=xxx
Maybe this was a bad move?
The attribute shows that it is 1906. This makes me think that you set
your expiration to a big number. However the value rolls over in 2038.
So you need to make sure what you set translates to a date before 2038.
I suspect I did set the expiration to too big a number originally. After
I was in the always expired loop I found a number of threads mentioning
this wrap around issue and I have tried a number of things to fix it, so
maybe I'm just making things worse.
Why are you using kdamin.local? With IPA it is not supported.
Out of ignorance I guess. I'm still finding my way into all this stuff!
What is the recommended way to reset an admin password in ipa when you
can't authenticate as admin?
There is a
bunch of IPA commands that do the same.
But if kinit admin won't authenticate me, how can I use the IPA commands?
How can I now reset the expiration date for admin when I can't
authenticate as admin?
Thanks.
Roderick
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
