Hebert, Henry wrote:
My user is in the admins group however not in the "trust admins"

Group name: admins
   Description: Account administrators group
   GID: 988200000
   Member users: admin, XXXXXXXXX,  hhebertXXX
   Member of HBAC rule: hostname

  Group name: trust admins
   Description: Trusts administrators group
   Member users: admin

I ran the above command to the same results.

admins is enough.

[hhebertXXX@hostname ~]$ ipa user-unlock admin
ipa: ERROR: did not receive Kerberos credentials

You need to kinit as yourself first.


I am asking the installer about the DM password.

Again thx for all your help.

On Thu, Aug 1, 2013 at 4:24 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Hebert, Henry wrote:

        Aha!  See Max failures below...

        [root@hostname ~]# ipa pwpolicy-show --user=admin
            Group: global_policy
            Max lifetime (days): 365
            Min lifetime (hours): 1
            History size: 1
            Character classes: 1
            Min length: 8
            Max failures: 12
            Failure reset interval: 0
            Lockout duration: 0

        is there a command like pam_tally2 for ipa to reset the number
        of failed

    ipa user-unlock <user>

    You need to be in the admins group to execute this. The account is
    permanently lock (until unlocked) because the lockout duration is 0,
    meaning forever.

    If you have the DM password we can use that account to unlock admin
    if you have no other users in the admins group.


Freeipa-users mailing list

Reply via email to