我们有一个基于 FreeIPA 的系统,管理员的密码已过期并需要更改,但通过 SSH 的标准密码更改程序失败:
sashka@cellar ~ ssh [email protected]
[email protected]'s password:
Password expired. Change your password now.
Last failed login: Mon Jun 30 15:38:21 MSK 2014 from 116.10.191.195 on ssh:notty
There were 6071 failed login attempts since the last successful login.
Last login: Wed Apr 16 19:28:54 2014
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user admin.
Current Password:
New password:
Retype new password:
Password change failed. Server message: Current password's minimum life has not expired
Password not changed.
passwd: Authentication token manipulation error
Connection to ipa.xxxxxxxxxx.com closed.
如果我们尝试使用它来更改密码,passwd也会失败并显示相同的错误消息:
[admin@ipa ~]$ passwd
Changing password for user admin.
Current Password:
New password:
Retype new password:
Password change failed. Server message: Current password's minimum life has not expired
Password not changed.
passwd: Authentication token manipulation error
[admin@ipa ~]$
我们应该怎么做才能解决这种情况?
答案1
听起来你以某种方式创建了一个密码策略,其最短密码寿命比最长密码寿命长。
请记住,最大值指定为天而最小值规定为小时。如果你把这些混合起来,那么就很容易做到这一点。
为了确认这一点,请检查现有的密码策略:
ipa pwpolicy-find
ipa pwpolicy-show global_policy
使用第二个管理员帐户登录并更改密码策略。
例如,设置最短寿命为 7 天,最长寿命为 90 天:
从命令行:
ipa pwpolicy-mod global_policy --minlife 168 --maxlife 90
从 Web UI:
也可以将最短寿命设置为零以禁用它。