On Mon, 04 May 2015, Andrew Morone wrote:
I'm having this issue. I discovered when I would randomly get locked out of
the admin account with the usual:
kinit: Clients credentials have been revoked while getting initial
credentials
The scenario would go as follows:
Sometimes I would try to issue "kinit admin", with the correct credentials
only to be met with the above results. Other times it would work fine, only
to fail when running an 'ipa' command.
Anyway, I discovered a bunch of failed auth entries for admin in the logs,
coming from clients. This would be mixed with successful logins from the
same machine. So what it looks like is happening is that these failed
logins would lock me out, sometimes in the middle of a session. Just
waiting 60 seconds for the lock out to time out would allow me to continue
my work. Has anyone seen this issue before? I'm using ipa server 3.0 on a
CentOS 6.6 server.
Are you using admin credentials as a bind DN from some application? Or
some application which authenticates against LDAP is DoSed by someone.
In any case you would need to look at
/var/log/dirsrv/slapd-<INSTANCE>/access and /var/log/krb5kdc.log. Both
logs have enough information to identify from which hosts these
authentication attempts come and narrow down exploration of what happens
on those hosts.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
