Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1276351
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: IPA update file /usr/share/ipa/updates/50-lockout-policy.update updates value of attribute krbPwdMaxFailure from 3 to 6 when IPA is upgraded Version-Release number of selected component (if applicable): ipa-server-4.1.0 How reproducible: Always, when IPA server is upgraded. Steps to Reproduce: 1. Set value of krbPwdMaxFailure attribute to '3' 2. Upgrade IPA server 3. Check value of krbPwdMaxFailure, it should show '6' Actual results: Value of krbPwdMaxFailure is changed from 3 to 6 Expected results: Value of krbPwdMaxFailure should NOT changed to '6', it should the value which was set before upgrade Additional info: From test IPA server: --- # rpm -q ipa-server ipa-server-4.1.0-18.el7_1.4.x86_64 # rpm -ql ipa-server | grep policy /usr/share/ipa/updates/50-lockout-policy.update # cat /usr/share/ipa/updates/50-lockout-policy.update dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX replace:krbPwdLockoutDuration:10::600 replace: krbPwdMaxFailure:3::6 <------------------------------ ---
Note: defaults for global_policy were changed and this update file was added in IPA 2.0 RC2: #930 which means that all existing RHEL 6/7 IPA installation run this update or were installed with changed defaults. If krbPwdMaxFailure is 3 then it is a deliberate change.
Therefore removal of this update file should be fine.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1276358 (Red Hat Enterprise Linux 6)
attachment freeipa-rga-0061-Remove-50-lockout-policy.update-file.patch
master:
Metadata Update from @pvoborni: - Issue assigned to rga - Issue set to the milestone: FreeIPA 4.3
Login to comment on this ticket.