[Freeipa-users] admin loses access?

[Rob Crittenden]

Janelle wrote:
> On 10/5/15 7:39 AM, Rob Crittenden wrote:
>> Torsten Harenberg wrote:
>>> Hi Janelle,
>>>
>>> Am 04.10.2015 um 19:25 schrieb Janelle:
>>>> Just wondering if anyone knows why this happens from time to time on
>>>> servers:
>>>>
>>>> $ kinit admin
>>>> kinit: Clients credentials have been revoked while getting initial
>>>> credentials
>>>>
>>>> there are no failed logins to the admin account - not even any login
>>>> attempts, so it is not like someone is getting the account locked out.
>>>> Just curious if anyone else has seen in. With 16 masters, it occurs
>>>> randomly on some hosts, but eventually clears either on its own or with
>>>> a restart of IPA. However, I just restarted IPA on this server and
>>>> after
>>>> about 2-3 minutes it works again.
>>>>
>>> I am seeing the same, see my mail "kinit admin not working anymore
>>> (LOCKED_OUT: Clients credentials have been revoked)" from 03-SEPT.
>>> Actually, wasn't it you who wanted to open a ticket?
>>>
>>> Have a nice evening,
>>>
>>>    Torsten
>>>
>> When you see this run `ipa user-status admin` and `ipa pwpolicy-show
>> --user=admin` and provide that so we can potentially see what is going
>> on.
>>
>> rob
>>
> I am curious -- if you have 16 masters, but this only happens once in
> awhile on 1 or 2 servers, how does the pwpolicy fit in? I am trying to
> understand the thinking of where you are going?? I will for sure do this
> the next time it happens, but I want to understand logic?

Lockout is per-master because the failed auth count and successful login
date is not replicated due to performance issues.

The user-status command will collect the lockout attributes from each
server, but it doesn't do the calculations, so the pwpolicy is needed as
well in order to figure out whether on a given master the user is locked
out.

rob