question Re: Kerberos with FreeIPA: password expired in Archives of Support Questions (Read Only)

Kerberos with FreeIPA: password expired

qiwang — Mon, 19 Aug 2019 12:01:54 GMT

Following your HCC tutorial on kerberizing cluster with FreeIPA. Run into error where the password for the test principle always expire

https://community.hortonworks.com/content/kbentry/59645/ambari-24-kerberos-with-freeipa.html

Performing kinit using qi1-111516@FIELD.HORTONWORKS.COM
2016-11-15 21:33:42,394 - Execute['/usr/bin/kinit -c /var/lib/ambari-agent/tmp/kerberos_service_check_cc_79b5f4cfa04c21fdbd26a3e07b45366e -kt /etc/security/keytabs/kerberos.service_check.111516.keytab qi1-111516@FIELD.HORTONWORKS.COM'] {'user': 'ambari-qa'}
2016-11-15 21:33:42,460 - File['/var/lib/ambari-agent/tmp/kerberos_service_check_cc_79b5f4cfa04c21fdbd26a3e07b45366e'] {'action': ['delete']}

Command failed after 1 tries

I updated password global policy to make it never expire, and the user is using that policy

ipa pwpolicy-mod --maxlife=0 --minlife=0 global_policy

[root@qwang-hdp ~]# ipa pwpolicy-show --user=qi1-111516
  Group: global_policy
  Max lifetime (days): 0
  Min lifetime (hours): 0
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

But if I kinit with the user, it will ask me to reset the password anyway.

This seems to related to the second requirement of the wizard, but I can't make it work

Greatly appreciate if you could provide some advice.

Re: Kerberos with FreeIPA: password expired

pminovic — Fri, 18 Nov 2016 19:10:01 GMT

Can you try to create the keytab for the test user, and always do kinit from the keytab ("kinit -kt <keytab-file-name>" command). Ambari service checks are supposed to use the ambari-qa user and the wizard is supposed to create its keytab as well.

Re: Kerberos with FreeIPA: password expired

bdbruin — Sun, 18 Dec 2016 14:48:03 GMT

You need a really recent FreeIPA to support --maxlife=0 (https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=d2cb9ed327ee4003598d5e45d80ab7918b89eeed). If you are on supported Redhat or CentOS then you probably you don't have it, unless you rolled your own.

You can find out by checking the krbPasswordExpiration attribute of the user. It shouldn't be there. In that case you can try to set it (http://www.therebel.eu/2015/08/setting-password-expiry-in-ipa/) or update your password policy to a lifetime of say 10 years or so (dont go beyond 2038)