From Fedora Project Wiki

Associated release criterion
This test case is associated with the Domain controller role requirements. If that is a Featured server role and you are doing release validation testing, a failure of this test case may be a breach of the Alpha, Beta, or Final Fedora release criteria requiring Featured server roles to meet their functional requirements. If so, please file a bug and nominate it as blocking the appropriate milestone, using the blocker bug nomination page.


Test user password changes with FreeIPA web interface and command line.


  1. Deploy a correctly-configured FreeIPA domain controller. You can follow:
    QA:Testcase_Server_role_deploy with the Domain Controller role to deploy a FreeIPA domain controller on Fedora 21 or later
    QA:Testcase_freeipav3_installation to deploy a FreeIPA domain controller on Fedora 20 or earlier
  2. Enrol a test system in the domain. There are various ways to do this. You will find several test cases you can follow in the Server release validation test cases, FreeIPA test cases, and Realmd test cases
  3. Log in to the FreeIPA web UI (use the IPA server's hostname as the URL) as 'admin', go to 'Policy' and then 'Password Policies', open 'global_policy' and set the 'Min lifetime (hours)' to 0

How to test

  1. Log in to the FreeIPA web UI (use the IPA server's hostname as the URL) as any domain user
  2. Browse to the user's page (if you log in as a non-admin user, this will be the first page you see)
  3. Click 'Actions' then 'Reset Password' and change the password
  4. Log out of the web UI
  5. Open a console
  6. Run kinit (user), where (user) is the name of the user account whose password you just changed
  7. Enter the new password
  8. Run ipa user-mod (user) --password, again substituting the user name for (user), and change the password again
  9. Attempt to run kinit again, log in to the web UI again, or log in to the system using the new password

Expected Results

  1. You should encounter no errors when changing the password or running kinit
  2. Authenticating with the new password after each change should succeed