Aha! See Max failures below... [root@hostname ~]# ipa pwpolicy-show --user=admin Group: global_policy Max lifetime (days): 365 Min lifetime (hours): 1 History size: 1 Character classes: 1 Min length: 8 Max failures: 12 Failure reset interval: 0 Lockout duration: 0
is there a command like pam_tally2 for ipa to reset the number of failed logins? On Thu, Aug 1, 2013 at 2:59 PM, Rob Crittenden <[email protected]> wrote: > Hebert, Henry wrote: > >> Thank you for the respons Rob. >> >> >> [root@hostname ~]# ipa user-show admin >> User login: admin >> Last name: Administrator >> Home directory: /home/admin >> Login shell: /bin/bash >> UID: #### >> GID: #### >> Account disabled: False >> Password: True >> Member of groups: admins, trust admins >> Indirect Member of HBAC rule: hostname >> Kerberos keys available: True >> [root@hostname ~]# >> [root@hostname ~]# >> [root@hostname ~]# >> [root@hostname ~]# ipa user-status admin >> ----------------------- >> Account disabled: False >> ----------------------- >> Server: hostname >> Failed logins: 12 >> Last successful authentication: 2013-07-25T13:14:27Z >> Last failed authentication: 2013-07-26T13:12:04Z >> Time now: 2013-08-01T18:52:44Z >> ---------------------------- >> Number of entries returned 1 >> ---------------------------- >> > > Sure seems like the password policy is preventing the login. You might > try: ipa pwpolicy-show --user=admin > > Do you have any other users in the admins group? > > Do you know the Directory Manager password? (set during IPA install). > > rob > > >> >> >> >> >> >> On Thu, Aug 1, 2013 at 2:26 PM, Rob Crittenden <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hebert, Henry wrote: >> >> I have inherited an ipa system that has been running fantastic. >> However >> the gui is no longer functioning. I was wondering if this list >> has seen >> this sort of error in the past. >> >> hostname# kinit admin >> kinit: Clients credentials have been revoked while getting initial >> credentials >> >> >> This is unrelated to the GUI. It appears that the admin account is >> disabled or locked due to too many failed logins. Using any other >> user, can you do ipa user-show admin? >> >> Look for: >> >> Account disabled: True >> >> If it is False then try ipa user-status admin see the number of >> failed logins. >> >> rob >> >> >> so i then tried >> http://docs.fedoraproject.org/**__en-US/Fedora/17/html/** >> FreeIPA___Guide/using-the-ui.**html#tab.__ui-troubleshooting<http://docs.fedoraproject.org/__en-US/Fedora/17/html/FreeIPA___Guide/using-the-ui.html#tab.__ui-troubleshooting> >> >> <http://docs.fedoraproject.**org/en-US/Fedora/17/html/** >> FreeIPA_Guide/using-the-ui.**html#tab.ui-troubleshooting<http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/using-the-ui.html#tab.ui-troubleshooting> >> > >> >> >> [hostname]# cat /tmp/moz.log >> 64608032[7fad03b53150]: using REQ_DELEGATE >> 64608032[7fad03b53150]: service = hostname >> 64608032[7fad03b53150]: using negotiate-gss >> 64608032[7fad03b53150]: entering nsAuthGSSAPI::nsAuthGSSAPI() >> 64608032[7fad03b53150]: Attempting to load gss functions >> 64608032[7fad03b53150]: entering nsAuthGSSAPI::Init() >> 64608032[7fad03b53150]: nsHttpNegotiateAuth::__** >> GenerateCredentials() >> >> [challenge=Negotiate] >> 64608032[7fad03b53150]: entering nsAuthGSSAPI::GetNextToken() >> 64608032[7fad03b53150]: gss_init_sec_context() failed: >> Unspecified GSS >> failure. Minor code may provide more information >> 64608032[7fad03b53150]: leaving nsAuthGSSAPI::GetNextToken >> [rv=80004005] >> >> >> Thanks in advance! >> Henry >> >> -- >> >> Henry Hebert >> System Administrator III >> >> >> >> ______________________________**___________________ >> Freeipa-users mailing list >> [email protected] >> <mailto:Freeipa-users@redhat.**com<[email protected]> >> > >> >> https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users> >> >> >> <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >> **> >> >> >> >> >> >> -- >> >> Henry Hebert >> System Administrator III >> 454 Life Sciences >> A Roche Company >> >> 15 Commercial Street >> Branford, CT 06405 >> Phone +1 203 871 2249 >> Mobile +1 203 215 5904 >> e-mail [email protected] <mailto:[email protected]**>____ >> >> /Visit our new webpage, featuring the “454 Sequencing breakthrough >> community webinar series” at www.454.com <http://www.454.com/>/____ >> >> *Confidentiality Note* >> >> This message is intended only for the use of the named recipient(s) and >> may contain confidential and/or privileged information. If you are not >> the intended recipient, please contact the sender and delete the >> message. Any unauthorized use of the information contained in this >> message is prohibited. >> >> > -- Henry Hebert System Administrator III 454 Life Sciences A Roche Company 15 Commercial Street Branford, CT 06405 Phone +1 203 871 2249 Mobile +1 203 215 5904 e-mail [email protected]**** *Visit our new webpage, featuring the “454 Sequencing breakthrough community webinar series” at www.454.com***** *Confidentiality Note* This message is intended only for the use of the named recipient(s) and may contain confidential and/or privileged information. If you are not the intended recipient, please contact the sender and delete the message. Any unauthorized use of the information contained in this message is prohibited.
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
