Can't change password of FreeIPA admin - "Current password's minimum life has not expired"

kerberos freeipa

Solution 1:

It sounds like you have somehow created a password policy with a minimum password life longer than the maximum password life.

Remember that the maximum is specified in days while the minimum is specified in hours. If you mix these up, then it's easy to do this.

To confirm it, check the existing password policy:

ipa pwpolicy-find

ipa pwpolicy-show global_policy

Log in with a second admin account and change the password policy.

For instance, to set a minimum life of 7 days and a maximum life of 90 days:

From the command line:

ipa pwpolicy-mod global_policy --minlife 168 --maxlife 90

From the web UI:

Change IPA password policy Web UI

The minimum life can also be set to zero to disable it.

Related

Show real server name in nginx logs and params passed to fastcgi?
stop an apt-get upgrade
How to use terraform.io to change the image of a stateful server without downtime or data loss?
Service is not starting on Centos on boot
What is an acceptable secure time source in a datacentre environment?
Office365 DirSync Active Directory Integration
How do i get centos 7 to use uids and gids from active directory?
How should I configure SELinux when running nginx inside Docker
Why Supervisor's http server won't wok?
Is it possible to configure IIS to redirect based on the SSL cipher suite used for the connection?
Does rails 4 asset_path helper uses asset.prefix? [closed]
Do Juniper switches support vtp?