[Freeipa-users] kinit - gui
Hebert, Henry
henry.hebert at roche.com
Thu Aug 1 19:11:58 UTC 2013
Aha! See Max failures below...
[root at hostname ~]# ipa pwpolicy-show --user=admin
Group: global_policy
Max lifetime (days): 365
Min lifetime (hours): 1
History size: 1
Character classes: 1
Min length: 8
Max failures: 12
Failure reset interval: 0
Lockout duration: 0
is there a command like pam_tally2 for ipa to reset the number of failed
logins?
On Thu, Aug 1, 2013 at 2:59 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Hebert, Henry wrote:
>
>> Thank you for the respons Rob.
>>
>>
>> [root at hostname ~]# ipa user-show admin
>> User login: admin
>> Last name: Administrator
>> Home directory: /home/admin
>> Login shell: /bin/bash
>> UID: ####
>> GID: ####
>> Account disabled: False
>> Password: True
>> Member of groups: admins, trust admins
>> Indirect Member of HBAC rule: hostname
>> Kerberos keys available: True
>> [root at hostname ~]#
>> [root at hostname ~]#
>> [root at hostname ~]#
>> [root at hostname ~]# ipa user-status admin
>> -----------------------
>> Account disabled: False
>> -----------------------
>> Server: hostname
>> Failed logins: 12
>> Last successful authentication: 2013-07-25T13:14:27Z
>> Last failed authentication: 2013-07-26T13:12:04Z
>> Time now: 2013-08-01T18:52:44Z
>> ----------------------------
>> Number of entries returned 1
>> ----------------------------
>>
>
> Sure seems like the password policy is preventing the login. You might
> try: ipa pwpolicy-show --user=admin
>
> Do you have any other users in the admins group?
>
> Do you know the Directory Manager password? (set during IPA install).
>
> rob
>
>
>>
>>
>>
>>
>>
>> On Thu, Aug 1, 2013 at 2:26 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Hebert, Henry wrote:
>>
>> I have inherited an ipa system that has been running fantastic.
>> However
>> the gui is no longer functioning. I was wondering if this list
>> has seen
>> this sort of error in the past.
>>
>> hostname# kinit admin
>> kinit: Clients credentials have been revoked while getting initial
>> credentials
>>
>>
>> This is unrelated to the GUI. It appears that the admin account is
>> disabled or locked due to too many failed logins. Using any other
>> user, can you do ipa user-show admin?
>>
>> Look for:
>>
>> Account disabled: True
>>
>> If it is False then try ipa user-status admin see the number of
>> failed logins.
>>
>> rob
>>
>>
>> so i then tried
>> http://docs.fedoraproject.org/**__en-US/Fedora/17/html/**
>> FreeIPA___Guide/using-the-ui.**html#tab.__ui-troubleshooting<http://docs.fedoraproject.org/__en-US/Fedora/17/html/FreeIPA___Guide/using-the-ui.html#tab.__ui-troubleshooting>
>>
>> <http://docs.fedoraproject.**org/en-US/Fedora/17/html/**
>> FreeIPA_Guide/using-the-ui.**html#tab.ui-troubleshooting<http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/using-the-ui.html#tab.ui-troubleshooting>
>> >
>>
>>
>> [hostname]# cat /tmp/moz.log
>> 64608032[7fad03b53150]: using REQ_DELEGATE
>> 64608032[7fad03b53150]: service = hostname
>> 64608032[7fad03b53150]: using negotiate-gss
>> 64608032[7fad03b53150]: entering nsAuthGSSAPI::nsAuthGSSAPI()
>> 64608032[7fad03b53150]: Attempting to load gss functions
>> 64608032[7fad03b53150]: entering nsAuthGSSAPI::Init()
>> 64608032[7fad03b53150]: nsHttpNegotiateAuth::__**
>> GenerateCredentials()
>>
>> [challenge=Negotiate]
>> 64608032[7fad03b53150]: entering nsAuthGSSAPI::GetNextToken()
>> 64608032[7fad03b53150]: gss_init_sec_context() failed:
>> Unspecified GSS
>> failure. Minor code may provide more information
>> 64608032[7fad03b53150]: leaving nsAuthGSSAPI::GetNextToken
>> [rv=80004005]
>>
>>
>> Thanks in advance!
>> Henry
>>
>> --
>>
>> Henry Hebert
>> System Administrator III
>>
>>
>>
>> ______________________________**___________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.**com<Freeipa-users at redhat.com>
>> >
>> https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users>
>>
>> <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>> **>
>>
>>
>>
>>
>>
>> --
>>
>> Henry Hebert
>> System Administrator III
>> 454 Life Sciences
>> A Roche Company
>>
>> 15 Commercial Street
>> Branford, CT 06405
>> Phone +1 203 871 2249
>> Mobile +1 203 215 5904
>> e-mail henry.hebert at roche.com <mailto:henry.hebert at roche.com**>____
>>
>> /Visit our new webpage, featuring the “454 Sequencing breakthrough
>> community webinar series” at www.454.com <http://www.454.com/>/____
>>
>> *Confidentiality Note*
>>
>> This message is intended only for the use of the named recipient(s) and
>> may contain confidential and/or privileged information. If you are not
>> the intended recipient, please contact the sender and delete the
>> message. Any unauthorized use of the information contained in this
>> message is prohibited.
>>
>>
>
--
Henry Hebert
System Administrator III
454 Life Sciences
A Roche Company
15 Commercial Street
Branford, CT 06405
Phone +1 203 871 2249
Mobile +1 203 215 5904
e-mail henry.hebert at roche.com****
*Visit our new webpage, featuring the “454 Sequencing breakthrough
community webinar series” at www.454.com*****
*Confidentiality Note*
This message is intended only for the use of the named recipient(s) and may
contain confidential and/or privileged information. If you are not the
intended recipient, please contact the sender and delete the message. Any
unauthorized use of the information contained in this message is prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130801/30e71c60/attachment.htm>
More information about the Freeipa-users
mailing list