On ke, 23 marras 2022, Grant Janssen via FreeIPA-users wrote:
I have an administrative user which hasn't logged into his account in some time
- likely over a year.
He can authenticate to any bound host, but cannot login to the FreeIPA servers.
I verified this wasn’t an HABC issue.
I compared his account to my own and found he had an extra attribute -
krblastadminunlock
grant@ef-idm01:~[20221123-4:41][#1003]$ ipa user-show --all waynev | grep
krblastadminunlock
krblastadminunlock: 20171006230951Z
grant@ef-idm01:~[20221123-4:47][#1004]$ ipa user-show --all grant | grep
krblastadminunlock
grant@ef-idm01:~[20221123-4:47][#1005]$
I wasn’t able to find much on this, but did find this:
https://github.com/freeipa/freeipa/commit/69b1a5fc04357d1771c527444e9ba064759afb65
How can I remove the krblastadminunlock attribute from this user without
resetting the password?
Try this on the IPA server as root:
# ipa -e in_server=true user-mod waynev
--delattr=krblastadminunlock=20171006230951Z
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
