We have a FreeIPA-based system, admin's password has expired and needs to be changed but the standard password changing procedure over SSH fails:
sashka@cellar ~ ssh [email protected]
[email protected]'s password:
Password expired. Change your password now.
Last failed login: Mon Jun 30 15:38:21 MSK 2014 from 116.10.191.195 on ssh:notty
There were 6071 failed login attempts since the last successful login.
Last login: Wed Apr 16 19:28:54 2014
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user admin.
Current Password:
New password:
Retype new password:
Password change failed. Server message: Current password's minimum life has not expired
Password not changed.
passwd: Authentication token manipulation error
Connection to ipa.xxxxxxxxxx.com closed.
If we try to change the password using passwd it fails too with the same error message:
[admin@ipa ~]$ passwd
Changing password for user admin.
Current Password:
New password:
Retype new password:
Password change failed. Server message: Current password's minimum life has not expired
Password not changed.
passwd: Authentication token manipulation error
[admin@ipa ~]$
What should we do to resolve this situation?
It sounds like you have somehow created a password policy with a minimum password life longer than the maximum password life.
Remember that the maximum is specified in days while the minimum is specified in hours. If you mix these up, then it's easy to do this.
To confirm it, check the existing password policy:
Log in with a second admin account and change the password policy.
For instance, to set a minimum life of 7 days and a maximum life of 90 days:
From the command line:
From the web UI:
The minimum life can also be set to zero to disable it.