[Freeipa-users] kinit - gui
Hebert, Henry
henry.hebert at roche.com
Fri Aug 2 14:15:23 UTC 2013
Rob I tried the command. How do I unlock the account using the DM?
[hhebertXXX at hostname ~]$ kinit hhebertXXX
Password for hhebertXXX at dc.COM:
[hhebertXXX at hostname ~]$* ipa user-unlock admin*
ipa: ERROR: Server is unwilling to perform: Entry permanently locked.
[hhebertXXX at hostname ~]$
and now my username is permanently locked.
[hhebertXXX at hostname ~]$ ipa user-status hhebertXXX
ipa: ERROR: Server is unwilling to perform: Entry permanently locked.
On Thu, Aug 1, 2013 at 4:52 PM, Henry Hebert <henry.hebert at roche.com> wrote:
> I have the DM password how do i unlock with it? ipa user-find doesn't show
> any user named Directory Manager?
>
>
> On Thu, Aug 1, 2013 at 4:43 PM, Henry Hebert <henry.hebert at roche.com>wrote:
>
>> My user is in the admins group however not in the "trust admins"
>>
>> Group name: admins
>> Description: Account administrators group
>> GID: 988200000
>> Member users: admin, XXXXXXXXX, hhebertXXX
>> Member of HBAC rule: hostname
>>
>> Group name: trust admins
>> Description: Trusts administrators group
>> Member users: admin
>>
>> I ran the above command to the same results.
>>
>> [hhebertXXX at hostname ~]$ ipa user-unlock admin
>> ipa: ERROR: did not receive Kerberos credentials
>>
>> I am asking the installer about the DM password.
>>
>> Again thx for all your help.
>> Henry
>>
>>
>>
>> On Thu, Aug 1, 2013 at 4:24 PM, Rob Crittenden <rcritten at redhat.com>wrote:
>>
>>> Hebert, Henry wrote:
>>>
>>>> Aha! See Max failures below...
>>>>
>>>> [root at hostname ~]# ipa pwpolicy-show --user=admin
>>>> Group: global_policy
>>>> Max lifetime (days): 365
>>>> Min lifetime (hours): 1
>>>> History size: 1
>>>> Character classes: 1
>>>> Min length: 8
>>>> Max failures: 12
>>>> Failure reset interval: 0
>>>> Lockout duration: 0
>>>>
>>>> is there a command like pam_tally2 for ipa to reset the number of failed
>>>> logins?
>>>>
>>>
>>> ipa user-unlock <user>
>>>
>>> You need to be in the admins group to execute this. The account is
>>> permanently lock (until unlocked) because the lockout duration is 0,
>>> meaning forever.
>>>
>>> If you have the DM password we can use that account to unlock admin if
>>> you have no other users in the admins group.
>>>
>>> rob
>>>
>>
>>
>
>
> --
>
> Henry Hebert
> System Administrator III
> 454 Life Sciences
> A Roche Company
>
> 15 Commercial Street
> Branford, CT 06405
> Phone +1 203 871 2249
> Mobile +1 203 215 5904
> e-mail henry.hebert at roche.com****
>
> *Visit our new webpage, featuring the “454 Sequencing breakthrough
> community webinar series” at www.454.com*****
>
> *Confidentiality Note*
> This message is intended only for the use of the named recipient(s) and
> may contain confidential and/or privileged information. If you are not the
> intended recipient, please contact the sender and delete the message. Any
> unauthorized use of the information contained in this message is prohibited.
>
--
Henry Hebert
System Administrator III
454 Life Sciences
A Roche Company
15 Commercial Street
Branford, CT 06405
Phone +1 203 871 2249
Mobile +1 203 215 5904
e-mail henry.hebert at roche.com****
*Visit our new webpage, featuring the “454 Sequencing breakthrough
community webinar series” at www.454.com*****
*Confidentiality Note*
This message is intended only for the use of the named recipient(s) and may
contain confidential and/or privileged information. If you are not the
intended recipient, please contact the sender and delete the message. Any
unauthorized use of the information contained in this message is prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130802/a52df2d0/attachment.htm>
More information about the Freeipa-users
mailing list