Alexander

Thank You for your attention, but this did not work for me.

I had tried earlier to remove this attribute in the conventional manner, but failed.

(example again at the tail of my output)

[root@ef-idm01 ~]# ipa -e in_server=true user-mod waynev --delattr=krblastadminunlock=20171006230951Z

ipa: ERROR: krblastadminunlock does not contain '20171006230951Z'

[root@ef-idm01 ~]# exit

logout

grant@ef-idm01:~[20221123-6:59][#1012]$ klist

Ticket cache: KEYRING:persistent:555:555

Default principal: grant@PRODUCTION.EFILM.COM

Valid starting Expires Service principal

11/23/2022 04:43:47 11/24/2022 04:43:34 HTTP/ef-idm01.production.efilm.com@PRODUCTION.EFILM.COM

11/23/2022 04:43:37 11/24/2022 04:43:34 krbtgt/PRODUCTION.EFILM.COM@PRODUCTION.EFILM.COM

grant@ef-idm01:~[20221123-6:59][#1013]$ ipa user-mod --delattr=krblastadminunlock=20171006230951Z waynev

ipa: ERROR: krblastadminunlock does not contain '20171006230951Z'

grant@ef-idm01:~[20221123-6:59][#1014]$ ipa user-show --all waynev | grep krblastadminunlock

krblastadminunlock: 20171006230951Z

grant@ef-idm01:~[20221123-DING!][#1015]$

thanx

- grant