Grant Janssen via FreeIPA-users wrote:
I have an administrative user which hasn't logged into his
account in
some time - likely over a year.
He can authenticate to any bound host, but cannot login to the FreeIPA
servers. I verified this wasn’t an HABC issue.
I compared his account to my own and found he had an extra attribute -
krblastadminunlock
grant@ef-idm01:~[20221123-4:41][#1003]$ ipa user-show --all waynev |
grep krblastadminunlock
krblastadminunlock: 20171006230951Z
grant@ef-idm01:~[20221123-4:47][#1004]$ ipa user-show --all grant |
grep krblastadminunlock
grant@ef-idm01:~[20221123-4:47][#1005]$
I wasn’t able to find much on this, but did find this:
https://github.com/freeipa/freeipa/commit/69b1a5fc04357d1771c527444e9ba06...
How can I remove the krblastadminunlock attribute from this user without
resetting the password?
This attribute allows authentications rather than restricting them. I
don't think this is the root of the issue. Either way it wouldn't affect
a per-machine authentication.
How did you rule out HBAC?
You might want to crank up sssd debugging and have this user try to log
in. That may provide some guidance.
rob