我们有一个基于FreeIPA的系统,pipe理员的密码已经过期,需要更改,但通过SSH的标准密码更改过程失败:
sashka@cellar ~ ssh [email protected] [email protected]'s password: Password expired. Change your password now. Last failed login: Mon Jun 30 15:38:21 MSK 2014 from 116.10.191.195 on ssh:notty There were 6071 failed login attempts since the last successful login. Last login: Wed Apr 16 19:28:54 2014 WARNING: Your password has expired. You must change your password now and login again! Changing password for user admin. Current Password: New password: Retype new password: Password change failed. Server message: Current password's minimum life has not expired Password not changed. passwd: Authentication token manipulation error Connection to ipa.xxxxxxxxxx.com closed.
如果我们尝试使用passwd
来更改密码,那么也会出现相同的错误消息:
[admin@ipa ~]$ passwd Changing password for user admin. Current Password: New password: Retype new password: Password change failed. Server message: Current password's minimum life has not expired Password not changed. passwd: Authentication token manipulation error [admin@ipa ~]$
我们应该怎样做才能解决这个问题?
这听起来像是你创build了一个密码策略,密码的最短生命周期至less要比最长的密码寿命长。
请记住,最大值以天为单位,最小值以小时为单位 。 如果你把这些混在一起,那很容易做到这一点。
要确认它,请检查现有的密码策略:
ipa pwpolicy-find ipa pwpolicy-show global_policy
使用第二个pipe理员帐户login并更改密码策略。
例如,要设置7天的最短寿命和90天的最长寿命:
从命令行:
ipa pwpolicy-mod global_policy --minlife 168 --maxlife 90
从networking用户界面:
最小寿命也可以设置为零来禁用它。