Change kerberos admin password (Kinit admin) integrated with IPA

ardee3949 · 06-18-2015, 12:06 PM

Hello folks,
hopefully someone out there can help me with this issue

below, as you can see as root I run the kinit admin and it prompts me to change password , however i am getting a "minimum life has not expired" erorr as I try to change it.

- tried to change the password through kadmin.local (2) and got the"Too soon to change password while changing password for "admin@domain"."

as I tried to access kadmin.local (3) as you can see it authenticate as user1 and not root, which I don't get why!!
i ran getprinc admin [results in bold, shown above!]

1-root@node1 ~]$ kinit admin
Password for admin@domain.comL:
Password expired. You must change it now.
Enter new password:
Enter it again:
Password change rejected: Current password's minimum life has not expired

Password not changed.. Please try again.

(2)- kadmin.local: change_password -pw Password2015!! admin@domain.com
change_password: Too soon to change password while changing password for "admin@domain.com".

(3) kadmin.local
Authenticating as principal user1/admin@DOMAIN.COM with password.
kadmin.local: getprinc admin
Principal: admin@DOMAIN.COM
Expiration date: [never]
Last password change: Tue Mar 10 17:13:17 CDT 2015
Password expiration date: Mon Jun 08 17:13:17 CDT 2015
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 2 days 02:00:00
Last modified: Wed Jun 17 17:04:59 CDT 2015 (admin/admin@domain.com)
Last successful authentication: Thu Jun 18 11:38:06 CDT 2015
Last failed authentication: Wed Jun 17 10:13:23 CDT 2015
Failed password attempts: 0
Number of keys: 4
Key: vno 1, aes256-cts-hmac-sha1-96, Special
Key: vno 1, aes128-cts-hmac-sha1-96, Special
Key: vno 1, des3-cbc-sha1, Special
Key: vno 1, arcfour-hmac, Special
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH REQUIRES_PWCHANGE
Policy: [none]

what do I need to do to reset my passowrd -- keep in mind as I try to run IPA commands it says ticket expired.

thank you .
hope to hear from you guys...

cheers.
Ardavan

ardee3949 · 06-19-2015, 02:00 PM

Found the solution --
create .ldif file, add the following line to the file, save & exit out:
"dn: cn=global_policy,cn=DOMAINL,cn=EXAMPLE,dc=EXAMPLE,dc=COM
changetype: modify
replace: krbMinPwdLife
krbMinPwdLife: 0"

note: you need to know the directory manager password
run:
ldapmodify -h localhost -x -W -D "cn=directory manager" -f /root/test/krb_test.ldif

now reset the password through kadmin.local:

kadmin.local
Authenticating as principal admin/admin@EXAMPLE.COM with password.
kadmin.local: change_password -pw secret123 admin@EXAMPLE.COM
Password for "admin@EXAMPLE.COM" changed.
kadmin.local: q

4. Run this command to clear cache

kdestroy

5. Run "kimit admin" to login KDC using new password

Example -
[root@bddec1v1-0019 ~]# kinit admin
Password for admin@EXAMPLE.COM:
[root@bddec1v1-0019 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@EXAMPLE.COM

Valid starting Expires Service principal
06/19/15 12:38:39 06/26/15 12:38:39 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 07/03/15 12:38:39