Grant Janssen via FreeIPA-users wrote: > I have an administrative user which hasn't logged into his account in > some time - likely over a year. > He can authenticate to any bound host, but cannot login to the FreeIPA > servers. I verified this wasn’t an HABC issue. > > I compared his account to my own and found he had an extra attribute - > krblastadminunlock > > grant@ef-idm01:~[20221123-4:41][#1003]$ ipa user-show --all waynev | > grep krblastadminunlock > krblastadminunlock: 20171006230951Z > grant@ef-idm01:~[20221123-4:47][#1004]$ ipa user-show --all grant | > grep krblastadminunlock > grant@ef-idm01:~[20221123-4:47][#1005]$ > > > I wasn’t able to find much on this, but did find this: > https://github.com/freeipa/freeipa/commit/69b1a5fc04357d1771c527444e9ba064759afb65 > > How can I remove the krblastadminunlock attribute from this user without > resetting the password?
This attribute allows authentications rather than restricting them. I don't think this is the root of the issue. Either way it wouldn't affect a per-machine authentication. How did you rule out HBAC? You might want to crank up sssd debugging and have this user try to log in. That may provide some guidance. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
