https://bugzilla.redhat.com/show_bug.cgi?id=859510 (Red Hat Enterprise Linux 6)
Description of problem: If IPA's password policy is set, and a password expires for an account. If the password policy is changed such that the expired password would not have expired, the user is unable to change their password, and the account is unusable. Version-Release number of selected component (if applicable): ipa-server-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 How reproducible: Easily reproducible. Steps to Reproduce: 1. Set password policy to expire passwords after 10 days, 2. Wait for a user to expire 3. kinit as another admin user after one user has expired, and change the pwpolicy to expire after 9999 days 4. attempt to kinit to an expired user 5. ipa will tell you that the password has expired, and it wont let you reset your password. Error reported: [root@ipaserver ~]# kinit admin Password for admin@YOUR.KERBEROS.DOMAIN Password expired. You must change it now. Enter new password: Enter it again: kinit: Password has expired while getting initial credentials Change the expiration back to 10 days, and users will be able to reset their passwords. Actual results: Unable to reset passwords which expired before the policy was extended. Expected results: Users should be able to reset their expired passwords regardless of what the expiration policy is. Additional info:
Changing 3.2 priority
This is reproducible only if --maxlife is set to at least 9999 days = 27.39 years, which results into date beyond Tuesday, 19 January 2038 for password expiration with current dates.
See http://en.wikipedia.org/wiki/Year_2038_problem
master: 0e8a329[[BR]] ipa-3-1: 4d17b72
Metadata Update from @dpal: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 3.2 - 2013/02
Login to comment on this ticket.