[Freeipa-users] User Lockout even with special password Policy

[Rob Crittenden]

Matt . wrote:
> OK, this looks good, but keeps the user locked from time to time:
> 
> # ipa pwpolicy-show --user kinit-user
>   Group: service_accounts
>   Max lifetime (days): 1024
>   Min lifetime (hours): 0
>   Lockout duration: 0

As I said before, you need maxfail = 0 to disable lockout.

> Can we make sure we apply a policy to the sysaccounts users or is that
> undoable ?

You'd have to set krbPwdPolicyReference to the dn of the policy you want
to use for that sysaccount user. That requires the objectclass
krbPrincipalAux.

rob

> 
> 2016-01-14 16:58 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>> Matt . wrote:
>>> OK, nice,but this user failed on kinit but is in the group where the
>>> policy is set to 0.
>>>
>>> Can I check on the commandline if it applies to that setting by
>>> querying ldap in some way ? It could be that some other group
>>> overrules in some way ?
>>
>> $ ipa pwpolicy-show --user <someuser>
>>
>>> What about sysaccounts ? They seem to be locked also with too many
>>> logins, and this concerns me as they are not POSIX.
>>
>> They may be getting the global policy applied.
>>
>> rob
>>
>>>
>>>
>>>
>>> 2016-01-14 15:16 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>> Matt . wrote:
>>>>> Hi Guys,
>>>>>
>>>>> I'm having an issue that a user which I use for the API is getting
>>>>> locked out from time to time.
>>>>>
>>>>> I have created a specific password policy for this user with:
>>>>>
>>>>> Lockout duration (seconds) 0
>>>>>
>>>>> But this doesn't help much.
>>>>>
>>>>> Anyone an idea how I can make sure a user is not locked out in any way
>>>>> by lots of logins or tries, etc and be able to test it functions
>>>>> allright ?
>>>>
>>>> Setting maxfail to 0 should do it. As for testing, be creative, but be
>>>> sure to test both LDAP bind and kinit.
>>>>
>>>> rob
>>>>
>>>
>>
>