Reset password fail when expired with IDM two factors authentication

Solution Verified - Updated -

Issue

When Red Hat Identity Management is used with two factors authentication OTP and a password has become expired, it's impossible to renew it.

[cylopez@idm ~]$ su - tutu
Password: 
Password expired. Change your password now.
Current Password: 
Password change failed. Server message: Old password not accepted.
su: Authentication token manipulation error

We see in logs

sept. 17 08:52:31 idm.local [sssd[krb5_child[24835]]][24835]: Password has expired
sept. 17 08:52:31 idm.local su[24832]: pam_sss(su-l:auth): authentication failure; logname=root uid=634400001 euid=0 tty=pts/0 ruser=cylopez rhost= user=tutu
sept. 17 08:52:31 idm.local su[24832]: pam_sss(su-l:auth): received for user tutu: 12 (Authentication token is no longer valid; new one required)
sept. 17 08:52:31 idm.local su[24832]: pam_sss(su-l:account): User info message: Password expired. Change your password now.
sept. 17 08:52:31 idm.local su[24832]: pam_unix(su-l:chauthtok): user "tutu" does not exist in /etc/passwd
sept. 17 08:52:35 idm.local su[24832]: pam_sss(su-l:chauthtok): User info message: Password change failed. Server message: Old password not accepted.
sept. 17 08:52:35 idm.local su[24832]: pam_sss(su-l:chauthtok): Authentication failed for user tutu: 4 (System error)

Environment

  • Red Hat Identity Management
    ipa-server-4.5.x
  • Red Hat Entreprise Linux 7
    sssd-client-1.16.0-19.el7_5.5.x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In