Associated release criterion
This test case is associated with the Fedora_42_Final_Release_Criteria#domain-password-change release criterion. If you are doing release validation testing, a failure of this test case may be a breach of that release criterion. If so, please file a bug and nominate it as blocking the appropriate milestone, using the blocker bug nomination page.

Description

Test user password changes with FreeIPA web interface and command line.

Setup

1. Deploy a correctly-configured FreeIPA domain controller. You can follow:

   QA:Testcase_Server_role_deploy with the Domain Controller role to deploy a FreeIPA domain controller on Fedora 28 or earlier

   QA:Testcase_freeipa_trust_server_installation to deploy a FreeIPA domain controller on Fedora 29 or later

2. Enrol a test system in the domain. There are various ways to do this. You will find several test cases you can follow in the Server release validation test cases, FreeIPA test cases, and Realmd test cases
3. Log in to the FreeIPA web UI (use the IPA server's hostname as the URL) as 'admin', go to 'Policy' and then 'Password Policies', open 'global_policy' and set the 'Min lifetime (hours)' to 0

How to test

1. Log in to the FreeIPA web UI (use the IPA server's hostname as the URL) as any domain user
2. Browse to the user's page (if you log in as a non-admin user, this will be the first page you see)
3. Click 'Actions' then 'Reset Password' and change the password
4. Log out of the web UI
5. Open a console
6. Run kinit (user), where (user) is the name of the user account whose password you just changed
7. Enter the new password
8. Run ipa user-mod (user) --password, again substituting the user name for (user), and change the password again
9. Attempt to run kinit again, log in to the web UI again, or log in to the system using the new password

Expected Results

1. You should encounter no errors when changing the password or running kinit
2. Authenticating with the new password after each change should succeed