[Freeipa-users] Credentials constantly revoked for admin user
Alexander Bokovoy
abokovoy at redhat.com
Wed May 6 14:23:58 UTC 2015
On Mon, 04 May 2015, Andrew Morone wrote:
>I'm having this issue. I discovered when I would randomly get locked out of
>the admin account with the usual:
>kinit: Clients credentials have been revoked while getting initial
>credentials
>
>
>The scenario would go as follows:
>Sometimes I would try to issue "kinit admin", with the correct credentials
>only to be met with the above results. Other times it would work fine, only
>to fail when running an 'ipa' command.
>
>Anyway, I discovered a bunch of failed auth entries for admin in the logs,
>coming from clients. This would be mixed with successful logins from the
>same machine. So what it looks like is happening is that these failed
>logins would lock me out, sometimes in the middle of a session. Just
>waiting 60 seconds for the lock out to time out would allow me to continue
>my work. Has anyone seen this issue before? I'm using ipa server 3.0 on a
>CentOS 6.6 server.
Are you using admin credentials as a bind DN from some application? Or
some application which authenticates against LDAP is DoSed by someone.
In any case you would need to look at
/var/log/dirsrv/slapd-<INSTANCE>/access and /var/log/krb5kdc.log. Both
logs have enough information to identify from which hosts these
authentication attempts come and narrow down exploration of what happens
on those hosts.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list