Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: lluca40
lluca40 Author
User level: Level 1
9 points

password policy "be changed at next login" stopped working

Due to a system failure of a 10.8.5 Open Directory master, I migrated it to a new 10.10.1. Migration seemed flawless, but now I'm experiencing a weird failure of the password policy "be changed at next login". It's simply ignored.

10.8.5 description:

- virtual machine with VMWare ESxi 5.5u1, 8 GB RAM, 60 GB hard drive plus a second one 150 GB

- Server version 2.2.2, Workgroup Manager version 10.8 (409)

- Open Directory with a self generated certificate for SSO

- all the users have mobile account with local home template


10.10.1 description:

- virtual machine with VMWare ESxi 5.5u1, 8 GB RAM, 80 GB hard drive plus a second one 120 GB

- Server version 4.0.3 (14S350), Workgroup Manager 10.9 (421)


Migration procedure: installed ex-novo 10.10.1, at the end of installation migrated data through migration assistant from old server hard drive attached at the new VM, switched off VM, detached old server hardware, rebooted, downloaded and installed new Server version.

All the computers bound to the Open Directory master allowed login so I thought the migration went properly, untile I discovered that the policy to change the password at next login doesn't work anymore.

Anyone having hints/suggestions about this behaviour?

Thanks

Luca

Server-OTHER, OS X Yosemite (10.10.1)

Posted on Jan 17, 2015 3:02 AM

Reply
11 replies
User profile for user: lluca40
lluca40 Author
User level: Level 1
9 points

Jan 18, 2015 3:19 AM in response to Linc Davis

Thank you for the suggestion. I cleared the policy database with the command you sent, but in workgroup manager I still find "be changed at next login" checked. If I check the password policy of my test user 98765 this is what I find:

server:~ root# pwpolicy -u 98765 -getpolicy

Getting policy for 98765

hardExpirationDate=1970-01-01 00:00:00 +0000 requiresAlpha=0 maxMinutesOfNonUse=0 usingHistory=0 maxFailedLoginAttempts=0 newPasswordRequired=1 expirationDate=1970-01-01 00:00:00 +0000 usingHardExpirationDate=0 maxChars=0 usingExpirationDate=0 maxMinutesUntilChangePassword=0 minChars=0 canModifyPasswordforSelf=1 requiresNumeric=0

newPasswordRequired is correctly set at 1, but there is no prompt to change password when I try to login. I don't if it's correct, but if I check the password policy after I logged on a computer, I find nothing:

staff:~ root# pwpolicy -u 98765 -getpolicy

Getting policy for 98765

staff:~ root#

Is this correct? Is the policy transferred to the login computer and in this case the transfer fails for some reason?

Thanks for the help

Luca

Reply
User profile for user: lluca40
lluca40 Author
User level: Level 1
9 points

Jan 18, 2015 9:12 AM in response to Linc Davis

I have a group of users newly created in Open Directory, with a default password. With 10.8.5 and server 2.2.2 I would have selected these users and checked the flag for "be changed at next login" in order to have them set a new password known only to them. With 10.10.1 and server 4.0.3 I'm no more able to get the same behaviour, so it's not properly a global policy. Is there a different way to achieve the same result, i.e. force a user to change his/her password if I reset it?

Thanks again

Reply
User profile for user: ps43
ps43
User level: Level 1
4 points

May 22, 2015 3:56 AM in response to lluca40

This has been infuriating me as well and seems to be a fairly major flaw in the directory/server app that we cannot get the users to change their password from a standard default password.


I have been through all of the above and I can't get it to work. Currently using 10.10.3 and Server 4.1.


Anyone got this to work and if so how?

Reply
User profile for user: cszymanski
cszymanski
User level: Level 1
0 points

Jul 17, 2015 6:38 AM in response to lluca40

I seem to have a similar issue. I extracted all users/groups with WGM on my old 10.6 xserve. Setup a fresh mini with 10.10.4. Imported users/groups and set the policy to be changed on first logon with the server.app. Nothing happens and the user is allowed to just login with the password I set initally. If I use terminal on the server and su username it asks me to change the password. Nothing from the logon screen.


From the client in terminal...

I tried changing with dscl . passwd /Users/UserName and after putting in the new one I get DS Error: -14987 (eUndefinedError)


I see this in the system.log on the server...

Jul 17 09:29:38 myodserver.od.fqdn.org kdc[90]: AS-REQ <UserName>@myodserver.od.fqdn.org from 127.0.0.1:64069 for krbtgt/myodserver.od.fqdn.org@myodserver.od.fqdn.org

Jul 17 09:29:38 myodserver.od.fqdn.org kdc[90]: AS-REQ <UserName>@myodserver.od.fqdn.org from 127.0.0.1:64069 for krbtgt/myodserver.od.fqdn.org@myodserver.od.fqdn.org

Jul 17 09:29:38 myodserver.od.fqdn.org kdc[90]: AS-REQ <UserName>@myodserver.od.fqdn.org from 127.0.0.1:55978 for krbtgt/myodserver.od.fqdn.org@myodserver.od.fqdn.org

Jul 17 09:29:38 myodserver.od.fqdn.org kdc[90]: ENC-TS pre-authentication succeeded -- <UserName>@myodserver.od.fqdn.org

Jul 17 09:29:38 myodserver.od.fqdn.org kdc[90]: Client's key has expired at 2015-07-17T09:28:38 -- <UserName>@myodserver.od.fqdn.org<UserName>


Thanks,
Craig

Reply

password policy "be changed at next login" stopped working

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up