> What do you mean ssh port close? How can I manage this server without SSH? With close i meant some firewal - iptables for example
> How do I disable locking of admin accounts? Do you have command handy because I tried google and there are lots of other info but not password policy related. Check FreeIPA's official documentation On Fri, May 10, 2024 at 2:38 PM Satish Patel <[email protected]> wrote: > Thank you for the responds, > > This started when I was trying to add a RockyLinux 8 replica to CentOS7 > Master node. Replica add process failed but after that this new issue > started on admin account lockout. I did remove bad replica but admin > account getting locked. > > What do you mean ssh port close? How can I manage this server without SSH? > > How do I disable locking of admin accounts? Do you have command handy > because I tried google and there are lots of other info but not password > policy related. > > > > On Fri, May 10, 2024 at 2:00 AM Yavor Marinov <[email protected]> wrote: > >> Hey Satish, >> >> had the same issue, when initially installing and integrating FreeIPA - >> in my case was an enrolled host which had its ssh port opened, which led to >> numerous requests for authentication for user admin. >> I would suggest a couple of measures: closing ssh ports and allowing only >> authentication with keys, increasing lock attempts for logging in or (I >> personally do not use it) disable the locking IPA wide. >> >> On Thu, May 9, 2024 at 9:10 PM Satish Patel via FreeIPA-users < >> [email protected]> wrote: >> >>> Folks, >>> >>> I have noticed my admin account keeps getting locked out because of >>> failed attempts but I don't know from where and how. I tried to dig into >>> logs but didn't find any trace of attempt. >>> >>> $ ipa-replica-manage list >>> Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more >>> information >>> Unexpected error: Server is unwilling to perform: Too many failed logins. >>> >>> $ ipa user-show --all admin >>> dn: uid=admin,cn=users,cn=accounts,dc=foo,dc=com >>> User login: admin >>> Last name: Administrator >>> Full name: Administrator >>> Home directory: /home/admin >>> GECOS: Administrator >>> Login shell: /bin/bash >>> Principal alias: [email protected] >>> UID: 1000 >>> GID: 1000 >>> Account disabled: False >>> Preserved user: False >>> Password: True >>> Member of groups: admins, trust admins, no-pwd-policy >>> Kerberos keys available: True >>> ipauniqueid: 97f5d270-d355-11e6-a809-000c29712463 >>> krbextradata: AALmz2BfYWRtaW5AVklWT1guQ09NAA== >>> krblastadminunlock: 20240509172126Z >>> krblastpwdchange: 20200915142958Z >>> krblastsuccessfulauth: 20240509172620Z >>> krbloginfailedcount: 0 >>> krbpwdpolicyreference: cn=no-pwd-policy,cn=FOO.COM >>> ,cn=kerberos,dc=foo,dc=com >>> krbticketflags: 128 >>> objectclass: top, person, posixaccount, krbprincipalaux, >>> krbticketpolicyaux, inetuser, ipaobject, ipasshuser, ipaSshGroupOfPubKeys >>> >>> >>> After running following command it do unlock but in few minutes it will >>> get lock again >>> >>> $ ipa user-unlock admin >>> -- >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to >>> [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >>
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
