Hebert, Henry wrote:
My user is in the admins group however not in the "trust admins"
Group name: admins
Description: Account administrators group
GID: 988200000
Member users: admin, XXXXXXXXX, hhebertXXX
Member of HBAC rule: hostname
Group name: trust admins
Description: Trusts administrators group
Member users: admin
I ran the above command to the same results.
admins is enough.
[hhebertXXX@hostname ~]$ ipa user-unlock admin
ipa: ERROR: did not receive Kerberos credentials
You need to kinit as yourself first.
rob
I am asking the installer about the DM password.
Again thx for all your help.
Henry
On Thu, Aug 1, 2013 at 4:24 PM, Rob Crittenden <[email protected]
<mailto:[email protected]>> wrote:
Hebert, Henry wrote:
Aha! See Max failures below...
[root@hostname ~]# ipa pwpolicy-show --user=admin
Group: global_policy
Max lifetime (days): 365
Min lifetime (hours): 1
History size: 1
Character classes: 1
Min length: 8
Max failures: 12
Failure reset interval: 0
Lockout duration: 0
is there a command like pam_tally2 for ipa to reset the number
of failed
logins?
ipa user-unlock <user>
You need to be in the admins group to execute this. The account is
permanently lock (until unlocked) because the lockout duration is 0,
meaning forever.
If you have the DM password we can use that account to unlock admin
if you have no other users in the admins group.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
