Kerberos

無法更改 FreeIPA 管理員的密碼 - “目前密碼的最短使用期限尚未到期”

  • June 30, 2014

我們有一個基於 FreeIPA 的系統,管理員密碼已過期,需要更改,但通過 SSH 的標準密碼更改程序失敗:

sashka@cellar ~ ssh admin@ipa.xxxxxxxxxx.com
admin@ipa.xxxxxxxxxx.com's password: 
Password expired. Change your password now.
Last failed login: Mon Jun 30 15:38:21 MSK 2014 from 116.10.191.195 on ssh:notty
There were 6071 failed login attempts since the last successful login.
Last login: Wed Apr 16 19:28:54 2014
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user admin.
Current Password: 
New password: 
Retype new password: 
Password change failed. Server message: Current password's minimum life has not expired

Password not changed.
passwd: Authentication token manipulation error
Connection to ipa.xxxxxxxxxx.com closed.

如果我們嘗試使用passwd它更改密碼也會失敗並顯示相同的錯誤消息:

[admin@ipa ~]$ passwd
Changing password for user admin.
Current Password: 
New password: 
Retype new password: 
Password change failed. Server message: Current password's minimum life has not expired

Password not changed.
passwd: Authentication token manipulation error
[admin@ipa ~]$

我們應該怎麼做才能解決這種情況?

聽起來您以某種方式創建了一個密碼策略,其最短密碼壽命比最長密碼壽命長。

請記住,最大值以為單位指定,而最小值以小時為單位指定。如果你把它們混合起來,那麼很容易做到這一點。

要確認它,請檢查現有的密碼策略:

ipa pwpolicy-find

ipa pwpolicy-show global_policy

使用第二個管理員帳戶登錄並更改密碼策略。

例如,設置最短壽命為 7 天,最長壽命為 90 天:

從命令行:

ipa pwpolicy-mod global_policy --minlife 168 --maxlife 90

從網路使用者界面:

更改 IPA 密碼策略 Web UI

最小壽命也可以設置為零以禁用它。

引用自:https://serverfault.com/questions/608961