Grant Janssen via FreeIPA-users wrote:
I see a slight variation, but still cannot remove the attribute.
grant@ef-idm01:~[20221123-7:19][#1018]$ipa user-show --all --raw waynev | grep krblastadminunlock grant@ef-idm01:~[20221123-7:20][#1019]$ipa user-show --all --raw waynev | grep -i krblastadminunlock krbLastAdminUnlock: 20171006230951Z grant@ef-idm01:~[20221123-7:20][#1020]$ ipa user-mod --delattr=krbLastAdminUnlock=20171006230951Z waynev ipa: ERROR: krblastadminunlock does not contain '20171006230951Z' grant@ef-idm01:~[20221123-7:20][#1021]$
It's probably a difference between storage and representation. This is a case where ldapsearch is probably better to find the value.
Alternatively you can try deleting the entire attribute with:
--setattr krblastadminunlock=
But again, this would affect any authentication and not just IPA servers so it doesn't make sense that access is not universally allowed/denied.
rob