Problem: Invalid syntax: krb5PasswordEnd

scheinig · October 24, 2024, 7:21am

Problem:

Modifying a users password you get:
LDAP Error: Invalid syntax: krb5PasswordEnd: value #0 invalid per syntax.

root@ucs:~# udm users/user modify --dn uid=cschein,cn=users,dc=schein,dc=me --set password='Uni123vent456oN!'
LDAP Error: Invalid syntax: krb5PasswordEnd: value #0 invalid per syntax.

Investigation:

ucr set directory/manager/cmd/debug/level='4'; pkill -f cli-server

Try again

ucr set directory/manager/cmd/debug/level='0'; pkill -f cli-server

look in

/var/log/univention/directory-manager-cmd.log

for more information

Solution

The logfile revealed the following:

23.10.24 15:14:18.345  ADMIN       ( INFO    ) : simplePolicy.__getitem__: presult: expiryInterval=99999999
23.10.24 15:14:18.371  ADMIN       ( INFO    ) : sambaPwdLastSetValue: 1729689258
23.10.24 15:14:18.371  ADMIN       ( INFO    ) : krb5PasswordEnd: 2758150706000000Z

So there was a policy for users, which causes the krb5PasswordEnd to be in an impossible future value.

scheinig · October 24, 2024, 7:21am