kt s via FreeIPA-users wrote:
when I login in with administrator, I got an error "Kerberos principal expiration".
I can't login in now ,so how to change Kerberos principal time.
You'll need your Directory Manager password which was set during IPA server installation.
Since you don't have access to the API you'll need to use LDAP directly. You'll need to replace the dc components to match your environment.
$ ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=admin,cn=users,cn=accounts,dc=example,dc=test changetype: modify delete: krbprincipalexpiration <empty line> ^D
This will remove the expiration date from the admin user. You can choose to add a new one if you wish afterward though I can't say I'd recommend it.
rob