I was facing similar issues, and ended up changing the username from admin
to something else since admin is a common name in brute force ssh attacks.
It was getting locked out in spite of using fail2ban. I guess fail2ban can
be tweaked to block the host before ipa blocks the admin account, but I
didn't bother doing that. Changing the username seemed easier.

On Mon, Oct 5, 2015 at 8:19 AM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Janelle wrote:
> > On 10/5/15 7:39 AM, Rob Crittenden wrote:
> >> Torsten Harenberg wrote:
> >>> Hi Janelle,
> >>>
> >>> Am 04.10.2015 um 19:25 schrieb Janelle:
> >>>> Just wondering if anyone knows why this happens from time to time on
> >>>> servers:
> >>>>
> >>>> $ kinit admin
> >>>> kinit: Clients credentials have been revoked while getting initial
> >>>> credentials
> >>>>
> >>>> there are no failed logins to the admin account - not even any login
> >>>> attempts, so it is not like someone is getting the account locked out.
> >>>> Just curious if anyone else has seen in. With 16 masters, it occurs
> >>>> randomly on some hosts, but eventually clears either on its own or
> with
> >>>> a restart of IPA. However, I just restarted IPA on this server and
> >>>> after
> >>>> about 2-3 minutes it works again.
> >>>>
> >>> I am seeing the same, see my mail "kinit admin not working anymore
> >>> (LOCKED_OUT: Clients credentials have been revoked)" from 03-SEPT.
> >>> Actually, wasn't it you who wanted to open a ticket?
> >>>
> >>> Have a nice evening,
> >>>
> >>>    Torsten
> >>>
> >> When you see this run `ipa user-status admin` and `ipa pwpolicy-show
> >> --user=admin` and provide that so we can potentially see what is going
> >> on.
> >>
> >> rob
> >>
> > I am curious -- if you have 16 masters, but this only happens once in
> > awhile on 1 or 2 servers, how does the pwpolicy fit in? I am trying to
> > understand the thinking of where you are going?? I will for sure do this
> > the next time it happens, but I want to understand logic?
>
> Lockout is per-master because the failed auth count and successful login
> date is not replicated due to performance issues.
>
> The user-status command will collect the lockout attributes from each
> server, but it doesn't do the calculations, so the pwpolicy is needed as
> well in order to figure out whether on a given master the user is locked
> out.
>
> rob
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to