work around for "Cannot Login. User Password has expired, Please change your password" in RHEVM User Portal

Latest response

After installing IPA and creating accounts with ipa user-add and setting password with ipa passwd <user>

I was denied access to the Power User Portal with that account due to a Password expired message. The following messages were also logged into /var/log/rhevm/rhevm.log:

2012-01-26 23:38:48,884 ERROR [org.ovirt.engine.core.bll.LoginBaseCommand] (http- USER_PASSWORD_EXPIRED : rhevuser
2012-01-26 23:38:48,884 WARN  [org.ovirt.engine.core.bll.LoginUserCommand] (http- CanDoAction of action LoginUser failed. Reasons:USER_PASSWORD_EXPIRED


I couldn't find this documented, but a work around that worked for me was found posted elsewhere by simo. The trick is to use the kinit to change password as seen here:


[root@rhevm rhevm]# kinit rhevpower
Password for rhevpower@DEMO.REDHAT.COM:
Password expired.  You must change it now.
Enter new password:
Enter it again:


Or it can be changed using "kpasswd".


We do have a feature request filed already for the userportal to prompt the user to change the password if it's expired where he will get a GUI to enter his old password,  new password and new password confirmation.

Yes, I agree that the userportal must have this option.

As for now, the IPA admin have to create a user than that user need to run kinit to change his/her password on most setup via the shell.




This is specific to IPA, every user created there is created with the "must change password at first logon" option, and there is no way around that. So when you create a new user, you must also reset his password. 

If you have an existing IPA setup in place, and you want to use the existing accounts from it, there should be no problem, since those passwords are already in place and in use.


RHEV should not be managing DS credentials, this is the job of the IPA administrator and the users, RHEV simply connects to IPA and verifies those credentials.


If this is too much of a nuisance, an RFE should be filed against IPA to make this setting optional instead of mandatory