Sorry for self-replying, I was able to solve it by using the 2nd IPA server:
[root@ipa2 ~]# kinit admin Password for ad...@pleiades.uni-wuppertal.de: [root@ipa2 ~]# ipa user-status admin ----------------------- Account disabled: False ----------------------- Server: ipa.pleiades.uni-wuppertal.de Failed logins: 0 Last successful authentication: 20150903090946Z Last failed authentication: 20150903090808Z Time now: 2015-09-03T09:09:47Z Server: ipa2.pleiades.uni-wuppertal.de Failed logins: 0 Last successful authentication: 20150903090946Z Last failed authentication: 20150903090851Z Time now: 2015-09-03T09:09:47Z ------------------------------------- Anzahl der zurückgegebenen Einträge 2 ------------------------------------- [root@ipa2 ~]# ipa user-unlock admin ----------------------------- Konto »admin« wurde entsperrt ----------------------------- [root@ipa2 ~]# and now it works again on the primary: [root@ipa ~]# kinit admin Password for ad...@pleiades.uni-wuppertal.de: [root@ipa ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: ad...@pleiades.uni-wuppertal.de Valid starting Expires Service principal 03.09.2015 11:11:07 04.09.2015 11:11:04 krbtgt/pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de [root@ipa ~]# (Sorry for the german messages, my working machine is set to german). Is there any to find out why the admin user was unlocked on the primary machine? And would it be also possible to unlock the "admin" user with one of the accounts inside the "admins" group? I am a bit afraid that we will lock out ourselves next time that happens. Thanks Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenb...@physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project