Support Questions
Find answers, ask questions, and share your expertise

Kerberos with FreeIPA: password expired

Expert Contributor

@emaxwell

Following your HCC tutorial on kerberizing cluster with FreeIPA. Run into error where the password for the test principle always expire

https://community.hortonworks.com/content/kbentry/59645/ambari-24-kerberos-with-freeipa.html

Performing kinit using qi1-111516@FIELD.HORTONWORKS.COM
2016-11-15 21:33:42,394 - Execute['/usr/bin/kinit -c /var/lib/ambari-agent/tmp/kerberos_service_check_cc_79b5f4cfa04c21fdbd26a3e07b45366e -kt /etc/security/keytabs/kerberos.service_check.111516.keytab qi1-111516@FIELD.HORTONWORKS.COM'] {'user': 'ambari-qa'}
2016-11-15 21:33:42,460 - File['/var/lib/ambari-agent/tmp/kerberos_service_check_cc_79b5f4cfa04c21fdbd26a3e07b45366e'] {'action': ['delete']}

Command failed after 1 tries

I updated password global policy to make it never expire, and the user is using that policy

ipa pwpolicy-mod --maxlife=0 --minlife=0 global_policy
[root@qwang-hdp ~]# ipa pwpolicy-show --user=qi1-111516
  Group: global_policy
  Max lifetime (days): 0
  Min lifetime (hours): 0
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

But if I kinit with the user, it will ask me to reset the password anyway.

This seems to related to the second requirement of the wizard, but I can't make it work

9480-screen-shot-2016-11-15-at-42530-pm.png

Greatly appreciate if you could provide some advice.

1 ACCEPTED SOLUTION

New Contributor

You need a really recent FreeIPA to support --maxlife=0 (https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=d2cb9ed327ee4003598d5e45d80ab7918b89eeed). If you are on supported Redhat or CentOS then you probably you don't have it, unless you rolled your own.

You can find out by checking the krbPasswordExpiration attribute of the user. It shouldn't be there. In that case you can try to set it (http://www.therebel.eu/2015/08/setting-password-expiry-in-ipa/) or update your password policy to a lifetime of say 10 years or so (dont go beyond 2038)

View solution in original post

2 REPLIES 2

Can you try to create the keytab for the test user, and always do kinit from the keytab ("kinit -kt <keytab-file-name>" command). Ambari service checks are supposed to use the ambari-qa user and the wizard is supposed to create its keytab as well.

New Contributor

You need a really recent FreeIPA to support --maxlife=0 (https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=d2cb9ed327ee4003598d5e45d80ab7918b89eeed). If you are on supported Redhat or CentOS then you probably you don't have it, unless you rolled your own.

You can find out by checking the krbPasswordExpiration attribute of the user. It shouldn't be there. In that case you can try to set it (http://www.therebel.eu/2015/08/setting-password-expiry-in-ipa/) or update your password policy to a lifetime of say 10 years or so (dont go beyond 2038)

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.