Reset password fail when expired with IDM two factors authentication

Solution Verified - Updated -

Issue

When Red Hat Identity Management is used with two factors authentication OTP and a password has become expired, it's impossible to renew it.

[cylopez@idm ~]$ su - tutu
Password: 
Password expired. Change your password now.
Current Password: 
Password change failed. Server message: Old password not accepted.
su: Authentication token manipulation error

We see in logs

sept. 17 08:52:31 idm.local [sssd[krb5_child[24835]]][24835]: Password has expired
sept. 17 08:52:31 idm.local su[24832]: pam_sss(su-l:auth): authentication failure; logname=root uid=634400001 euid=0 tty=pts/0 ruser=cylopez rhost= user=tutu
sept. 17 08:52:31 idm.local su[24832]: pam_sss(su-l:auth): received for user tutu: 12 (Authentication token is no longer valid; new one required)
sept. 17 08:52:31 idm.local su[24832]: pam_sss(su-l:account): User info message: Password expired. Change your password now.
sept. 17 08:52:31 idm.local su[24832]: pam_unix(su-l:chauthtok): user "tutu" does not exist in /etc/passwd
sept. 17 08:52:35 idm.local su[24832]: pam_sss(su-l:chauthtok): User info message: Password change failed. Server message: Old password not accepted.
sept. 17 08:52:35 idm.local su[24832]: pam_sss(su-l:chauthtok): Authentication failed for user tutu: 4 (System error)

Environment

  • Red Hat Identity Management
    ipa-server-4.5.x
  • Red Hat Entreprise Linux 7
    sssd-client-1.16.0-19.el7_5.5.x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content