https://bugzilla.redhat.com/show_bug.cgi?id=804096 (Red Hat Enterprise Linux 6)
Description of problem: --failinterval=INT Period after which failure count will be reset (seconds) Failure counter is not getting reset after interval period :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : :: [ LOG ] :: Failue Interval - before and after interval expiration - 10 second interval - 1 bad attempt ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ LOG ] :: create ipa user: [user1], firstname: [user1], lastname: [user1] password: [Secret123] :: [ PASS ] :: delete account [user1] :: [ LOG ] :: create ipa user: [user1], password: [Secret123] :: [ PASS ] :: add test user account :: [ LOG ] :: kinit as user1 with new password Secret123 was successful. :: [ PASS ] :: Creating a test user1 :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ PASS ] :: Setting failinterval to value of [10] :: [ PASS ] :: Interval value correct [10] :: [ LOG ] :: ERROR: kinit as user1 with password BADPWD failed. :: [ PASS ] :: Kinit as user with valid password. Max failures reached - interval not expired :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ PASS ] :: User's failed counter is as expected: [1] :: [ LOG ] :: Sleeping for 10 seconds :: [ LOG ] :: ERROR: kinit as user1 with password BADPWD failed. :: [ PASS ] :: Kinit as user with valid password. Max failures reached - interval expired :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ FAIL ] :: User's failed counter is NOT as expected. Got: [2] Expected: [1] :: [ LOG ] :: Duration: 46s :: [ LOG ] :: Assertions: 12 good, 1 bad :: [ FAIL ] :: RESULT: Failue Interval - before and after interval expiration - 10 second interval - 1 bad attempt ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : :: [ LOG ] :: Failure Interval - before and after interval expiration - 30 second interval - 2 bad attempts ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : :: [ LOG ] :: create ipa user: [user1], firstname: [user1], lastname: [user1] password: [Secret123] :: [ PASS ] :: delete account [user1] :: [ LOG ] :: create ipa user: [user1], password: [Secret123] :: [ PASS ] :: add test user account :: [ LOG ] :: kinit as user1 with new password Secret123 was successful. :: [ PASS ] :: Creating a test user1 :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ PASS ] :: Setting failinterval to value of [30] :: [ PASS ] :: Interval value correct [30] :: [ LOG ] :: ERROR: kinit as user1 with password BADPWD failed. :: [ PASS ] :: Kinit as user with valid password. Max failures reached - interval not expired. Attempt [1] :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ PASS ] :: User's failed counter is as expected: [1] :: [ LOG ] :: ERROR: kinit as user1 with password BADPWD failed. :: [ PASS ] :: Kinit as user with valid password. Max failures reached - interval not expired. Attempt [2] :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ PASS ] :: User's failed counter is as expected: [2] :: [ LOG ] :: Sleeping for 30 seconds :: [ LOG ] :: ERROR: kinit as user1 with password BADPWD failed. :: [ PASS ] :: Kinit as user with valid password. Max failures reached - interval expired :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ FAIL ] :: User's failed counter is NOT as expected. Got: [3] Expected: [1] :: [ LOG ] :: Duration: 1m 9s :: [ LOG ] :: Assertions: 14 good, 1 bad :: [ FAIL ] :: RESULT: Failure Interval - before and after interval expiration - 30 second interval - 2 bad attempts ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : :: [ LOG ] :: Group Failures Policy Enforcement - Failure Interval ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : :: [ LOG ] :: ERROR: kinit as grpuser with password BADPWD failed. :: [ PASS ] :: Kinit as group policy user with invalid password :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ PASS ] :: User's failed counter is as expected: [1] :: [ LOG ] :: ERROR: kinit as grpuser with password BADPWD failed. :: [ PASS ] :: Kinit as group policy user with invalid password :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ PASS ] :: User's failed counter is as expected: [2] :: [ LOG ] :: Sleep for interval duration :: [ LOG ] :: ERROR: kinit as grpuser with password BADPWD failed. :: [ PASS ] :: Kinit as group policy user with invalid password :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ FAIL ] :: User's failed counter is NOT as expected. Got: [3] Expected: [1] :: [ LOG ] :: Duration: 27s :: [ LOG ] :: Assertions: 8 good, 1 bad :: [ FAIL ] :: RESULT: Group Failures Policy Enforcement - Failure Interval Version-Release number of selected component (if applicable): ipa-server-2.2.0-4.el6.x86_64 How reproducible: always Steps to Reproduce: 1. already automated see description 2. 3. Actual results: user failure counter to be reset after interval Expected results: failure counter not being reset after interval Additional info:
It is querying krbpwdmaxfailurecountinterval instead of krbpwdfailurecountinterval
attachment freeipa-rcrit-999-failurecount.patch
master: 56fa06f
ipa-2-2: 27ae10d
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
Login to comment on this ticket.