https://bugzilla.redhat.com/show_bug.cgi?id=822429 (Red Hat Enterprise Linux 6)
Description of problem: I tested user lock mechanism when the configured maximum number of tries is exceeded and it does not work correctly. As admin: # ipa pwpolicy-show Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 0 History size: 0 Character classes: 0 Min length: 8 Max failures: 3 <<<<< Failure reset interval: 60 Lockout duration: 600 # ipa user-add --first=Foo --last=Bar fbar # ipa passwd fbar New Password: Enter New Password again to verify: -------------------------------------------------- Changed password for "fbar@IDM.LAB.BOS.REDHAT.COM" -------------------------------------------------- # kinit fbar Password for fbar@IDM.LAB.BOS.REDHAT.COM: Password expired. You must change it now. Enter new password: Enter it again: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: fbar@IDM.LAB.BOS.REDHAT.COM Valid starting Expires Service principal 05/17/12 05:39:45 05/18/12 05:39:45 krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM # kinit fbar Password for fbar@IDM.LAB.BOS.REDHAT.COM: kinit: Password incorrect while getting initial credentials # kinit fbar Password for fbar@IDM.LAB.BOS.REDHAT.COM: kinit: Password incorrect while getting initial credentials # kinit fbar Password for fbar@IDM.LAB.BOS.REDHAT.COM: kinit: Password incorrect while getting initial credentials # kinit fbar kinit: Clients credentials have been revoked while getting initial credentials >>> So far, this is expectable # kinit admin # ipa user-unlock fbar # kinit fbar Password for fbar@IDM.LAB.BOS.REDHAT.COM: >>> Now lets try to lock account again: # kinit fbar Password for fbar@IDM.LAB.BOS.REDHAT.COM: kinit: Password incorrect while getting initial credentials # kinit fbar Password for fbar@IDM.LAB.BOS.REDHAT.COM: kinit: Password incorrect while getting initial credentials # kinit fbar Password for fbar@IDM.LAB.BOS.REDHAT.COM: kinit: Password incorrect while getting initial credentials # kinit fbar Password for fbar@IDM.LAB.BOS.REDHAT.COM: kinit: Password incorrect while getting initial credentials >>> Failed login count is stuck at 1! $ ipa user-status fbar ----------------------- Account disabled: False ----------------------- Server: vm-034.idm.lab.bos.redhat.com Failed logins: 1 Last successful authentication: 2012-05-17T10:18:13Z Last failed authentication: 2012-05-17T10:17:28Z Time now: 2012-05-17T10:18:46Z ---------------------------- Number of entries returned 1 ---------------------------- krb5kdc log for logins where the failed count was not increased: ... May 17 06:20:36 vm-034.idm.lab.bos.redhat.com krb5kdc[14987](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: NEEDED_PREAUTH: fbar@IDM.LAB.BOS.REDHAT.COM for krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM, Additional pre-authentication required May 17 06:20:37 vm-034.idm.lab.bos.redhat.com krb5kdc[14987](info): preauth (timestamp) verify failure: Decrypt integrity check failed May 17 06:20:37 vm-034.idm.lab.bos.redhat.com krb5kdc[14987](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: PREAUTH_FAILED: fbar@IDM.LAB.BOS.REDHAT.COM for krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM, Decrypt integrity check failed May 17 06:20:44 vm-034.idm.lab.bos.redhat.com krb5kdc[14987](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: NEEDED_PREAUTH: fbar@IDM.LAB.BOS.REDHAT.COM for krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM, Additional pre-authentication required May 17 06:20:45 vm-034.idm.lab.bos.redhat.com krb5kdc[14987](info): preauth (timestamp) verify failure: Decrypt integrity check failed May 17 06:20:45 vm-034.idm.lab.bos.redhat.com krb5kdc[14987](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: PREAUTH_FAILED: fbar@IDM.LAB.BOS.REDHAT.COM for krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM, Decrypt integrity check failed Version-Release number of selected component (if applicable): ipa-server-2.2.0-13.el6.x86_64 How reproducible: Steps to Reproduce: 1. Add a new user with password 2. kinit as the new user 3. kinit with wrong password until password policy max auth count is exceeded and kinit is refused 4. unlock user with admin account 5. try kinit-ing with wrong password, check the number of failed login counts Actual results: Failed login count is stuck at 1 Expected results: Failed login count is not stuck, account is locked again after the max login count is exceeded Additional info:
attachment freeipa-rcrit-1017-failcount.patch
master: 560f2ce[[BR]] ipa-2-2: 608d297
Metadata Update from @mkosek: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/05
Login to comment on this ticket.