On ke, 23 marras 2022, Grant Janssen via FreeIPA-users wrote:
I have an administrative user which hasn't logged into his account
in some time - likely over a year.
He can authenticate to any bound host, but cannot login to the FreeIPA servers. I
verified this wasn’t an HABC issue.
I compared his account to my own and found he had an extra attribute - krblastadminunlock
grant@ef-idm01:~[20221123-4:41][#1003]$ ipa user-show --all waynev | grep
krblastadminunlock
krblastadminunlock: 20171006230951Z
grant@ef-idm01:~[20221123-4:47][#1004]$ ipa user-show --all grant | grep
krblastadminunlock
grant@ef-idm01:~[20221123-4:47][#1005]$
I wasn’t able to find much on this, but did find this:
https://github.com/freeipa/freeipa/commit/69b1a5fc04357d1771c527444e9ba06...
How can I remove the krblastadminunlock attribute from this user without resetting the
password?
Try this on the IPA server as root:
# ipa -e in_server=true user-mod waynev --delattr=krblastadminunlock=20171006230951Z
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland