Can't change password of FreeIPA admin - "Current password's minimum life has not expired"
It sounds like you have somehow created a password policy with a minimum password life longer than the maximum password life.
Remember that the maximum is specified in days while the minimum is specified in hours. If you mix these up, then it's easy to do this.
To confirm it, check the existing password policy:
ipa pwpolicy-find
ipa pwpolicy-show global_policy
Log in with a second admin account and change the password policy.
For instance, to set a minimum life of 7 days and a maximum life of 90 days:
From the command line:
ipa pwpolicy-mod global_policy --minlife 168 --maxlife 90
From the web UI:
The minimum life can also be set to zero to disable it.
Related videos on Youtube
Alex
An experienced software developer with a bit of sysadmin background. Can't dance.
Updated on September 18, 2022Comments
-
Alex almost 2 years
We have a FreeIPA-based system, admin's password has expired and needs to be changed but the standard password changing procedure over SSH fails:
sashka@cellar ~ ssh [email protected] [email protected]'s password: Password expired. Change your password now. Last failed login: Mon Jun 30 15:38:21 MSK 2014 from 116.10.191.195 on ssh:notty There were 6071 failed login attempts since the last successful login. Last login: Wed Apr 16 19:28:54 2014 WARNING: Your password has expired. You must change your password now and login again! Changing password for user admin. Current Password: New password: Retype new password: Password change failed. Server message: Current password's minimum life has not expired Password not changed. passwd: Authentication token manipulation error Connection to ipa.xxxxxxxxxx.com closed.
If we try to change the password using
passwd
it fails too with the same error message:[admin@ipa ~]$ passwd Changing password for user admin. Current Password: New password: Retype new password: Password change failed. Server message: Current password's minimum life has not expired Password not changed. passwd: Authentication token manipulation error [admin@ipa ~]$
What should we do to resolve this situation?
-
Alex about 10 yearsDo these settings apply back to accounts which were created prior to policy modification? My current global password policy is 900 days of max lifetime and 2400 hours of min lifetime. I think the admin account had a default max lifetime of 90 days initially. So if it was remembered on account creation and not synchronized later when we set a new max lifetime the old max got lower than the new min!