On ke, 11 heinä 2018, skrawczenko--- via FreeIPA-users wrote:
Unfortunately, can't see anything suspicious in krb5kdc.log
Multiple hosts request TGT in  NEEDED_PREAUTH:host/<hostname> - ISSUE dialogs.

No errors and 'admin' is not encountered anywhere.

I'm having a concern that older machines could have been enrolled (ipa-client) 
with admin user.
Could you suggest where i can check this setting on the client machines and 
modify if needed?
When machine is enrolled as admin, there is no place those admin
credentials are stored anywhere. So that shouldn't be an issue.

However, if admin account is still locked out, you have two sources for
possible lockouts:
- KDC locking out for invalid TGTs
- LDAP servers locking out for invalid LDAP BIND requests.

As you are saying it is not the former, may be it is the latter?

You can use

 egrep '(BIND.*dn=\"|RESULT.*dn=\"|RESULT err=49)' 

to pull out all authentication requests, successful or not, from LDAP
server access log. For successful requests 'RESULT ' entry would have
'dn="some-dn"' while for unsuccessful ones BIND entries will have actual
DN value. Each entry has 'conn=XYZ' property which show an id of a
connection performed by a client and a first line with that conn=XYZ id
would also have IP address of the client.

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 

Reply via email to