On 05/17/2016 08:18 AM, Rob Crittenden wrote:
John Duino wrote:
Is there a (relatively easy) way to determine what is causing a user
account to be locked out? The admin account on our 'primary' ipa host is
locked out frequently, but somewhat randomly; sometimes it will be less
than 5 minutes it is available, and other times several hours.

ipa user-status admin will show something like:
Failed logins: 6
Last successful authentication: 20160516214142Z
Last failed authentication: 20160516224718Z
Time now: 2016-05-16T22:52:00Z

ipa user-unlock admin  does unlock it.

But parsing through the various logs on the affected host doesn't give
me what I need to know, primarily, which host(s) are trying to access
admin and causing it to lock.

FreeIPA 4.2.0 on CentOS 7.2.1511

I think you'd need to poke around in the KDC and 389-ds access log to find the auth attempts. I guess I'd look for PREAUTH_FAILED in /var/log/krb5kdc.log and look for err=49 in the 389-ds logs and then correlate the conn value with a BIND to see who was authenticating.

For 389 you can use the logconv.pl tool


rob


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to