Aha!  See Max failures below...

[root@hostname ~]# ipa pwpolicy-show --user=admin
  Group: global_policy
  Max lifetime (days): 365
  Min lifetime (hours): 1
  History size: 1
  Character classes: 1
  Min length: 8
  Max failures: 12
  Failure reset interval: 0
  Lockout duration: 0

is there a command like pam_tally2 for ipa to reset the number of failed
logins?





On Thu, Aug 1, 2013 at 2:59 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Hebert, Henry wrote:
>
>> Thank you for the respons Rob.
>>
>>
>> [root@hostname ~]# ipa user-show admin
>>    User login: admin
>>    Last name: Administrator
>>    Home directory: /home/admin
>>    Login shell: /bin/bash
>>    UID: ####
>>    GID: ####
>>    Account disabled: False
>>    Password: True
>>    Member of groups: admins, trust admins
>>    Indirect Member of HBAC rule: hostname
>>    Kerberos keys available: True
>> [root@hostname ~]#
>> [root@hostname ~]#
>> [root@hostname ~]#
>> [root@hostname ~]# ipa user-status admin
>> -----------------------
>> Account disabled: False
>> -----------------------
>>    Server: hostname
>>    Failed logins: 12
>>    Last successful authentication: 2013-07-25T13:14:27Z
>>    Last failed authentication: 2013-07-26T13:12:04Z
>>    Time now: 2013-08-01T18:52:44Z
>> ----------------------------
>> Number of entries returned 1
>> ----------------------------
>>
>
> Sure seems like the password policy is preventing the login. You might
> try: ipa pwpolicy-show --user=admin
>
> Do you have any other users in the admins group?
>
> Do you know the Directory Manager password? (set during IPA install).
>
> rob
>
>
>>
>>
>>
>>
>>
>> On Thu, Aug 1, 2013 at 2:26 PM, Rob Crittenden <rcrit...@redhat.com
>> <mailto:rcrit...@redhat.com>> wrote:
>>
>>     Hebert, Henry wrote:
>>
>>         I have inherited an ipa system that has been running fantastic.
>>           However
>>         the gui is no longer functioning.  I was wondering if this list
>>         has seen
>>         this sort of error in the past.
>>
>>         hostname# kinit admin
>>         kinit: Clients credentials have been revoked while getting initial
>>         credentials
>>
>>
>>     This is unrelated to the GUI. It appears that the admin account is
>>     disabled or locked due to too many failed logins. Using any other
>>     user, can you do ipa user-show admin?
>>
>>     Look for:
>>
>>        Account disabled: True
>>
>>     If it is False then try ipa user-status admin see the number of
>>     failed logins.
>>
>>     rob
>>
>>
>>         so i then tried
>>         http://docs.fedoraproject.org/**__en-US/Fedora/17/html/**
>> FreeIPA___Guide/using-the-ui.**html#tab.__ui-troubleshooting<http://docs.fedoraproject.org/__en-US/Fedora/17/html/FreeIPA___Guide/using-the-ui.html#tab.__ui-troubleshooting>
>>
>>         <http://docs.fedoraproject.**org/en-US/Fedora/17/html/**
>> FreeIPA_Guide/using-the-ui.**html#tab.ui-troubleshooting<http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/using-the-ui.html#tab.ui-troubleshooting>
>> >
>>
>>
>>         [hostname]# cat /tmp/moz.log
>>         64608032[7fad03b53150]:   using REQ_DELEGATE
>>         64608032[7fad03b53150]:   service = hostname
>>         64608032[7fad03b53150]:   using negotiate-gss
>>         64608032[7fad03b53150]: entering nsAuthGSSAPI::nsAuthGSSAPI()
>>         64608032[7fad03b53150]: Attempting to load gss functions
>>         64608032[7fad03b53150]: entering nsAuthGSSAPI::Init()
>>         64608032[7fad03b53150]: nsHttpNegotiateAuth::__**
>> GenerateCredentials()
>>
>>         [challenge=Negotiate]
>>         64608032[7fad03b53150]: entering nsAuthGSSAPI::GetNextToken()
>>         64608032[7fad03b53150]: gss_init_sec_context() failed:
>>         Unspecified GSS
>>         failure.  Minor code may provide more information
>>         64608032[7fad03b53150]:   leaving nsAuthGSSAPI::GetNextToken
>>         [rv=80004005]
>>
>>
>>         Thanks in advance!
>>         Henry
>>
>>         --
>>
>>         Henry Hebert
>>         System Administrator III
>>
>>
>>
>>         ______________________________**___________________
>>         Freeipa-users mailing list
>>         Freeipa-users@redhat.com 
>> <mailto:Freeipa-users@redhat.**com<Freeipa-users@redhat.com>
>> >
>>         
>> https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users>
>>
>>         
>> <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>> **>
>>
>>
>>
>>
>>
>> --
>>
>> Henry Hebert
>> System Administrator III
>> 454 Life Sciences
>> A Roche Company
>>
>> 15 Commercial Street
>> Branford, CT 06405
>> Phone  +1 203 871 2249
>> Mobile  +1 203 215 5904
>> e-mail henry.heb...@roche.com <mailto:henry.heb...@roche.com**>____
>>
>> /Visit our new webpage, featuring the “454 Sequencing breakthrough
>> community webinar series” at www.454.com <http://www.454.com/>/____
>>
>> *Confidentiality Note*
>>
>> This message is intended only for the use of the named recipient(s) and
>> may contain confidential and/or privileged information. If you are not
>> the intended recipient, please contact the sender and delete the
>> message. Any unauthorized use of the information contained in this
>> message is prohibited.
>>
>>
>


-- 

Henry Hebert
System Administrator III
454 Life Sciences
A Roche Company

15 Commercial Street
Branford, CT 06405
Phone  +1 203 871 2249
Mobile  +1 203 215 5904
e-mail  henry.heb...@roche.com****

*Visit our new webpage, featuring the “454 Sequencing breakthrough
community webinar series” at www.454.com*****

*Confidentiality Note*
This message is intended only for the use of the named recipient(s) and may
contain confidential and/or privileged information. If you are not the
intended recipient, please contact the sender and delete the message. Any
unauthorized use of the information contained in this message is prohibited.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to