[Freeipa-users] kinit - gui
Rob Crittenden
rcritten at redhat.com
Thu Aug 1 21:48:54 UTC 2013
Hebert, Henry wrote:
> My user is in the admins group however not in the "trust admins"
>
> Group name: admins
> Description: Account administrators group
> GID: 988200000
> Member users: admin, XXXXXXXXX, hhebertXXX
> Member of HBAC rule: hostname
>
> Group name: trust admins
> Description: Trusts administrators group
> Member users: admin
>
> I ran the above command to the same results.
admins is enough.
>
> [hhebertXXX at hostname ~]$ ipa user-unlock admin
> ipa: ERROR: did not receive Kerberos credentials
You need to kinit as yourself first.
rob
>
> I am asking the installer about the DM password.
>
> Again thx for all your help.
> Henry
>
>
>
> On Thu, Aug 1, 2013 at 4:24 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Hebert, Henry wrote:
>
> Aha! See Max failures below...
>
> [root at hostname ~]# ipa pwpolicy-show --user=admin
> Group: global_policy
> Max lifetime (days): 365
> Min lifetime (hours): 1
> History size: 1
> Character classes: 1
> Min length: 8
> Max failures: 12
> Failure reset interval: 0
> Lockout duration: 0
>
> is there a command like pam_tally2 for ipa to reset the number
> of failed
> logins?
>
>
> ipa user-unlock <user>
>
> You need to be in the admins group to execute this. The account is
> permanently lock (until unlocked) because the lockout duration is 0,
> meaning forever.
>
> If you have the DM password we can use that account to unlock admin
> if you have no other users in the admins group.
>
> rob
>
>
More information about the Freeipa-users
mailing list