If you run the command and see a message stating the user is not locked, but they still cannot log in, the issue is likely not a lockout. Check for:
A locked account is different from a disabled account. If an account is disabled, use ipa user-enable username . Insufficient Privileges ipa user-unlock
Before running any IPA command, you must obtain a Kerberos ticket: kinit admin Use code with caution. 2. Run the Unlock Command If you run the command and see a
The syntax is straightforward. Replace username with the actual UID of the locked user: ipa user-unlock username Use code with caution. Insufficient Privileges Before running any IPA command, you
To unlock a user, you must have administrative privileges (usually as the admin user or a member of a group with the "Stage User" or "User Administrator" roles). 1. Authenticate with Kerberos
While this protects the network, it often leads to "locked out" tickets for the IT helpdesk. The ipa user-unlock command is the specific tool used to restore access. Why Do Accounts Get Locked?
Use ipa user-show username --all to check the krbPasswordExpiration attribute.