2/14/2020 Unable to reset the password of IPA users.

- Red Hat Customer Portal

C U S T O M E R (https://access.redhat.com/)
P O R TA L


Unable to reset the password of IPA users.

$ SOLUTION VERIFIED - Updated November 5 2018 at 11:46 AM - English ()

Environment
Red Hat Enterprise Linux 7.x
IPA/IDM

Issue
Unable to reset password of ipa users .

Getting below error while changing ipa user password :

[root@ipa ~]# ipa user-mod tuser --password

Password:
Enter Password again to verify:
ipa: ERROR: Constraint violation: Account expired
[root@ipa ~]#

Resolution
Reset the kerberos principal-expiration.

[root@ipa ~]# ipa user-mod tuser --principal-expiration=

e.g :-


https://access.redhat.com/solutions/3678111 1/6
2/14/2020 Unable to reset the password of IPA users. - Red Hat Customer Portal

[root@ipa ~]# ipa user-mod M E R (https://access.redhat.com/)

C U S T Otuser --principal-expiration=
---------------------P O R TA L

Modified user "tuser"
---------------------
User login: tuser
First name: Test
Last name: User
Home directory: /home/tuser
Login shell: /bin/sh
Principal name: tuser@EXAMPLE.COM
Principal alias: tuser@EXAMPLE.COM
Email address: tuser@example.com
UID: 815000008
GID: 815000008
Account disabled: False
Password: True
Member of groups: ipausers
Roles: helpdesk
Kerberos keys available: True
[root@ipa ~]#

Try to change the password

[root@ipa ~]# ipa user-mod tuser --password

Password:
Enter Password again to verify:
---------------------
Modified user "tuser"
---------------------
User login: tuser
First name: Test
Last name: User
Home directory: /home/tuser
Login shell: /bin/sh
Principal name: tuser@EXAMPLE.COM
Principal alias: tuser@EXAMPLE.COM
Email address: tuser@example.com
UID: 815000008
GID: 815000008
Account disabled: False
Password: True
Member of groups: ipausers
Roles: helpdesk
Kerberos keys available: True
[root@ipa ~]#

Root Cause 
https://access.redhat.com/solutions/3678111 2/6
2/14/2020 Unable to reset the password of IPA users. - Red Hat Customer Portal

The account isn't supposed to have the kerberos principal expiration set.
C U S T O M E R (https://access.redhat.com/)
P O R TA L


Diagnostic Steps
Verify if account has krbPrincipalExpiration set


https://access.redhat.com/solutions/3678111 3/6
2/14/2020 Unable to reset the password of IPA users. - Red Hat Customer Portal

C U S -D
[root@ipa ~]# ldapsearch M E R (https://access.redhat.com/)
T O "cn=Directory Manager" -b
P O R TA L
uid=tuser,cn=users,cn=accounts,dc=example,dc=com -w secret

# extended LDIF
#
# LDAPv3
# base <uid=tuser,cn=users,cn=accounts,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# tuser, users, accounts, example.com

dn: uid=tuser,cn=users,cn=accounts,dc=example,dc=com
krbPrincipalExpiration: 20171101103733Z <=======================
krbExtraData:: AAIX29pbcm9vdC9hZG1pbkBLTFVESFdBTkkuQ09NAA==
krbLastPwdChange: 20181101105311Z
krbPasswordExpiration: 20181101105311Z
ipaNTHash:: udLUlVszC1A8x5LralW7Hw==
krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEGowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBAi
WTNDLFckIUhaImprMW0noUkwR6ADAgESoUAEPiAANtUzRJuu23sKHnY8KY0SdkCNOek4clmyFjuux
TQMOndWKtYH4owdU4pTsea4kW/cVgzFKOfvyruolqEaMFigGzAZoAMCAQShEgQQTF4oQydxPiReKU
5qNUtePaE5MDegAwIBEaEwBC4QAMW70oV5u4Ajw7O+oPEjDt5V098jam7LHNaYXKmH1KBnX3GBiaT
ZWtnXTlvs
userPassword:: e1NTSEE1MTJ9aXFtRjM2V3pwZVR2ZUhhTzNneEdkcXE0NWZOajI5TnpsWjMrQmt
SNzIvYXN6WXYvd29yWFFKMm5qWDcvRHVwczhZMFV3RVZLOEkrMDZlUWM4VzcxWSthUVdEZDVXSHZT
krbLoginFailedCount: 0
krbTicketFlags: 128
krbLastFailedAuth: 20181101103733Z
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
memberOf: cn=helpdesk,cn=roles,cn=accounts,dc=example,dc=com
memberOf: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=example,dc=com
memberOf: cn=System: Change User password,cn=permissions,cn=pbac,dc=example,
dc=com
memberOf: cn=System: Manage User Certificates,cn=permissions,cn=pbac,dc=example,dc=com
memberOf: cn=System: Manage User Principals,cn=permissions,cn=pbac,dc=example,dc=com
memberOf: cn=System: Modify Users,cn=permissions,cn=pbac,dc=example,dc=com
memberOf: cn=Modify Group membership,cn=privileges,cn=pbac,dc=example,dc=com
memberOf: cn=System: Modify External Group Membership,cn=permissions,cn=pbac,d
c=example,dc=com
memberOf: cn=System: Modify Group Membership,cn=permissions,cn=pbac,dc=example,dc=com
ipaNTSecurityIdentifier: S-1-5-21-4021910362-1096884182-490369887-1008
mepManagedEntry: cn=tuser,cn=groups,cn=accounts,dc=example,dc=com
displayName: Test User
uid: tuser
krbCanonicalName: tuser@EXAMPLE.COM
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux 
objectClass: ipaobject

https://access.redhat.com/solutions/3678111 4/6
2/14/2020 Unable to reset the password of IPA users. - Red Hat Customer Portal

objectClass: ipasshuser
C U S T O M E R (https://access.redhat.com/)
objectClass: ipaSshGroupOfPubKeys
P O R TA L
objectClass: mepOriginEntry

objectClass: ipantuserattrs
loginShell: /bin/sh
initials: TU
gecos: Test User
sn: User
homeDirectory: /home/tuser
mail: tuser@example.com
krbPrincipalName: tuser@EXAMPLE.COM
givenName: Test
cn: Test User
ipaUniqueID: 8f7ab80a-db63-11e8-a949-001a4a000804
uidNumber: 815000008
gidNumber: 815000008

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@ipa ~]#

Product(s) Red Hat Enterprise Linux (/taxonomy/products/red-hat-enterprise-linux)

Component ipa-client (/components/ipa-client) krb5 (/components/krb5)

Category Configure (/category/configure) Tags ipa (/tags/ipa) kerberos (/tags/kerberos)

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions
that Red Hat engineers have created while supporting our customers. To give you the knowledge
you need the instant it becomes available, these articles may be presented in a raw and unedited
form.

People who viewed this solution also viewed

How to migrate user with MD5 hash password to IPA?

Solution - Jul 28, 2016


https://access.redhat.com/solutions/3678111 5/6
2/14/2020 Unable to reset the password of IPA users. - Red Hat Customer Portal

CUST
sudo giving error "sudo: O M E R (https://access.redhat.com/)
pam_open_session: System error"
P O R TA L

Solution - Nov 6, 2018

How to provide minimal rights/privileges to normal IPA user to change password for other
IPA users like default IPA admin

Solution - Aug 30, 2019

Comments

All systems operational (https://status.redhat.com)

Privacy Statement (http://www.redhat.com/en/about/privacy-

policy)
Customer Portal Terms of Use
(https://access.redhat.com/help/terms/)
All Policies and Guidelines
(http://www.redhat.com/en/about/all-policies-guidelines)
Copyright © 2020 Red Hat, Inc.


https://access.redhat.com/solutions/3678111 6/6