[Freeipa-users] How to determine cause/source of user lockout?
Rob Crittenden
rcritten at redhat.com
Tue May 17 14:18:05 UTC 2016
John Duino wrote:
> Is there a (relatively easy) way to determine what is causing a user
> account to be locked out? The admin account on our 'primary' ipa host is
> locked out frequently, but somewhat randomly; sometimes it will be less
> than 5 minutes it is available, and other times several hours.
>
> ipa user-status admin will show something like:
> Failed logins: 6
> Last successful authentication: 20160516214142Z
> Last failed authentication: 20160516224718Z
> Time now: 2016-05-16T22:52:00Z
>
> ipa user-unlock admin does unlock it.
>
> But parsing through the various logs on the affected host doesn't give
> me what I need to know, primarily, which host(s) are trying to access
> admin and causing it to lock.
>
> FreeIPA 4.2.0 on CentOS 7.2.1511
I think you'd need to poke around in the KDC and 389-ds access log to
find the auth attempts. I guess I'd look for PREAUTH_FAILED in
/var/log/krb5kdc.log and look for err=49 in the 389-ds logs and then
correlate the conn value with a BIND to see who was authenticating.
rob
More information about the Freeipa-users
mailing list