Anthony Messina via FreeIPA-users wrote: > On Sunday, June 22, 2025 11:08:43 AM Central Daylight Time Anthony Messina > via FreeIPA-users wrote: >> With FreeIPA 4.12.2-14.fc42 (and likely before), I have two hosts created in >> February 2025 that trigger the following: > >> ns-slapd: ALERT - ipalockout_postop - User >> fqdn=ws1.example.com,cn=computers,cn=accounts,dc=example,dc=com is locked >> out. Too many failed authentication attempts. > >> They were enrolled using OTP just like my other hosts in the past have been. >> They are the only two hosts in my dual-master FreeIPA setup with multiple >> hosts that show krbLastFailedAuth and krbLoginFailedCount: > >> ~]# ipa host-show ws1 --all --raw >> ... >> has_password: FALSE >> has_keytab: TRUE >> krbLastFailedAuth: 20250217182326Z >> krbLastPwdChange: 20250216234605Z >> krbLoginFailedCount: 0 >> >> How do they get this way and is there a way to "unlock" these hosts? >> Thanks. > > This logging appears to be related to the change at > https://github.com/freeipa/freeipa/commit/dfcc25525ac8f2be4a5ecd8b7bcac8f282b9c4cd > > and the presence of either krbLoginFailedCount and/or krbLastFailedAuth, > regardless of their content. > > For now, I have removed those attributes from the two host fqdn entries on > each replica. > >
Thanks for the research. I opened https://pagure.io/freeipa/issue/9820 rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
