Uberleet

Linux Systems Articles for better insights

FreeIPA admin account reset


Sometimes the 'admin' account can get locked with FreeIPA which will immediately shutdown the administration site with '500: Internal Server Error' and other symptoms. You will know a lockout is in effect if you run kinit admin on the IPA host and get kinit: Clients credentials have been revoked while getting initial credentials

You can reset the account by issuing an ldiff on the nsaccountlock property for admin.

ldapmodify -h localhost -D "cn=Directory Manager" -ZZ -x -W

No prompt will be shown unless the password is wrong, enter the LDIF query:

dn: uid=admin,cn=users,cn=accounts,dc=domain,dc=name
changetype: modify
replace: nsaccountlock
nsaccountlock: false

Be sure to change dc=domain,dc=name to your domain,tld.

If all goes well, you see output informing changes were made:

modifying entry "uid=admin,cn=users,cn=accounts,dc=domain,dc=name"

Press Ctrl+C to exit ldapmodify.

Investigate why this happened

This can be your fault, your keyboards fault, or a compromised internal network with brute scans against your IPA instance. Tools like tcpdump and others can help isolate this as well as some of the kerberos logs within FreeIPA.

Not understanding why this is happening can lead to additional lockouts or security risk.