#2765 Failed login count is stuck at 1
Closed: Fixed None Opened 11 years ago by mkosek.

https://bugzilla.redhat.com/show_bug.cgi?id=822429 (Red Hat Enterprise Linux 6)

Description of problem:
I tested user lock mechanism when the configured maximum number of tries is
exceeded and it does not work correctly.

As admin:
# ipa pwpolicy-show
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 0
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 3   <<<<<
  Failure reset interval: 60
  Lockout duration: 600
# ipa user-add --first=Foo --last=Bar fbar
# ipa passwd fbar
New Password:
Enter New Password again to verify:
--------------------------------------------------
Changed password for "fbar@IDM.LAB.BOS.REDHAT.COM"
--------------------------------------------------
# kinit fbar
Password for fbar@IDM.LAB.BOS.REDHAT.COM:
Password expired.  You must change it now.
Enter new password:
Enter it again:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: fbar@IDM.LAB.BOS.REDHAT.COM

Valid starting     Expires            Service principal
05/17/12 05:39:45  05/18/12 05:39:45
krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM


# kinit fbar
Password for fbar@IDM.LAB.BOS.REDHAT.COM:
kinit: Password incorrect while getting initial credentials
# kinit fbar
Password for fbar@IDM.LAB.BOS.REDHAT.COM:
kinit: Password incorrect while getting initial credentials
# kinit fbar
Password for fbar@IDM.LAB.BOS.REDHAT.COM:
kinit: Password incorrect while getting initial credentials
# kinit fbar
kinit: Clients credentials have been revoked while getting initial credentials

>>> So far, this is expectable

# kinit admin
# ipa user-unlock fbar

# kinit fbar
Password for fbar@IDM.LAB.BOS.REDHAT.COM:

>>> Now lets try to lock account again:
# kinit fbar
Password for fbar@IDM.LAB.BOS.REDHAT.COM:
kinit: Password incorrect while getting initial credentials
# kinit fbar
Password for fbar@IDM.LAB.BOS.REDHAT.COM:
kinit: Password incorrect while getting initial credentials
# kinit fbar
Password for fbar@IDM.LAB.BOS.REDHAT.COM:
kinit: Password incorrect while getting initial credentials
# kinit fbar
Password for fbar@IDM.LAB.BOS.REDHAT.COM:
kinit: Password incorrect while getting initial credentials

>>> Failed login count is stuck at 1!

$ ipa user-status fbar
-----------------------
Account disabled: False
-----------------------
  Server: vm-034.idm.lab.bos.redhat.com
  Failed logins: 1
  Last successful authentication: 2012-05-17T10:18:13Z
  Last failed authentication: 2012-05-17T10:17:28Z
  Time now: 2012-05-17T10:18:46Z
----------------------------
Number of entries returned 1
----------------------------


krb5kdc log for logins where the failed count was not increased:
...
May 17 06:20:36 vm-034.idm.lab.bos.redhat.com krb5kdc[14987](info): AS_REQ (4
etypes {18 17 16 23}) 10.16.78.34: NEEDED_PREAUTH: fbar@IDM.LAB.BOS.REDHAT.COM
for krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM, Additional
pre-authentication required
May 17 06:20:37 vm-034.idm.lab.bos.redhat.com krb5kdc[14987](info): preauth
(timestamp) verify failure: Decrypt integrity check failed
May 17 06:20:37 vm-034.idm.lab.bos.redhat.com krb5kdc[14987](info): AS_REQ (4
etypes {18 17 16 23}) 10.16.78.34: PREAUTH_FAILED: fbar@IDM.LAB.BOS.REDHAT.COM
for krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM, Decrypt integrity
check failed
May 17 06:20:44 vm-034.idm.lab.bos.redhat.com krb5kdc[14987](info): AS_REQ (4
etypes {18 17 16 23}) 10.16.78.34: NEEDED_PREAUTH: fbar@IDM.LAB.BOS.REDHAT.COM
for krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM, Additional
pre-authentication required
May 17 06:20:45 vm-034.idm.lab.bos.redhat.com krb5kdc[14987](info): preauth
(timestamp) verify failure: Decrypt integrity check failed
May 17 06:20:45 vm-034.idm.lab.bos.redhat.com krb5kdc[14987](info): AS_REQ (4
etypes {18 17 16 23}) 10.16.78.34: PREAUTH_FAILED: fbar@IDM.LAB.BOS.REDHAT.COM
for krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM, Decrypt integrity
check failed


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-13.el6.x86_64

How reproducible:


Steps to Reproduce:
1. Add a new user with password
2. kinit as the new user
3. kinit with wrong password until password policy max auth count is exceeded
and kinit is refused
4. unlock user with admin account
5. try kinit-ing with wrong password, check the number of failed login counts

Actual results:
Failed login count is stuck at 1

Expected results:
Failed login count is not stuck, account is locked again after the max login
count is exceeded

Additional info:

Metadata Update from @mkosek:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/05

7 years ago

Login to comment on this ticket.

Metadata