My user is in the admins group however not in the "trust admins"

Group name: admins
  Description: Account administrators group
  GID: 988200000
  Member users: admin, XXXXXXXXX,  hhebertXXX
  Member of HBAC rule: hostname

 Group name: trust admins
  Description: Trusts administrators group
  Member users: admin

I ran the above command to the same results.

[hhebertXXX@hostname ~]$ ipa user-unlock admin
ipa: ERROR: did not receive Kerberos credentials

I am asking the installer about the DM password.

Again thx for all your help.

On Thu, Aug 1, 2013 at 4:24 PM, Rob Crittenden <> wrote:

> Hebert, Henry wrote:
>> Aha!  See Max failures below...
>> [root@hostname ~]# ipa pwpolicy-show --user=admin
>>    Group: global_policy
>>    Max lifetime (days): 365
>>    Min lifetime (hours): 1
>>    History size: 1
>>    Character classes: 1
>>    Min length: 8
>>    Max failures: 12
>>    Failure reset interval: 0
>>    Lockout duration: 0
>> is there a command like pam_tally2 for ipa to reset the number of failed
>> logins?
> ipa user-unlock <user>
> You need to be in the admins group to execute this. The account is
> permanently lock (until unlocked) because the lockout duration is 0,
> meaning forever.
> If you have the DM password we can use that account to unlock admin if you
> have no other users in the admins group.
> rob
Freeipa-users mailing list

Reply via email to