IPA password reset issue


I am getting the following error when running the knit admin command. Any suggestions ?

root@server01 ~]# kinit admin
Password for admin@domain.com:
Password expired.  You must change it now.
Enter new password:
Enter it again:
Password change rejected: Current password's minimum life has not expired

Password not changed..  Please try again.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph GanSystem AdminCommented:
You need "kpasswd" command to change a kerberos password.
btanExec ConsultantCommented:
the password policy may have been changed with password expiration beyond 2038. to restore the pw policy without a working admin user, you have to consider
a) Do modifications as Directory Manager or other user in "admins" group.
b) Manually fix admin entry attribute krbPasswordExpiration to some future date
c) kinit as admin, fix global policy with some value (pwpolicy-mod)
(Likely to use ldapmodify and bind as DM since, you cannot change krbPasswordExpiration with IPA user (IIRC))

Otherwise, better to have get the user whom is also admin user, consider doing "ipa passwd" on the original (lockout) admin, assign a temporary password and have it change on first login again.
chavi1011Author Commented:
Option (C) may not be possible but both (a) & (b) look viable. Can you please elborate options (b) ?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

btanExec ConsultantCommented:
krbPasswordExpiration is the actual date that the password for a given user expires. so if it is a value of "20380119031408Z" (which is in the format of "%Y%m%d%H%M%S") in year of 2038. The password will never expire. You need to set to a date to let the password expire so that the password can now be changed. see more details and steps in https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pwd-expiration.html

But also note that need to take care of "The maximum lifetime setting given in the password policy (--maxlife) ", see also
To ensure that new user passwords are valid and can be changed properly, do not set password Maximum Lifetime in Identity Management Password Policy to values that would cause the Kerberos Password Expiration Time timestamp to exceed 32 bits; that is, passwords that would expire after 2038-01-19. At the moment, recommended values for the Maximum Lifetime field are numbers lower than 9000 days.

But I am thinking if you have other admin, they can reset this "admin" and force change password on first login. It has worked for other ...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chavi1011Author Commented:
Resetting the password policy using directory manager/ldapmodify solved the problem. Thank you very much.
btanExec ConsultantCommented:
thanks for sharing
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.