[Freeipa-users] How to determine cause/source of user lockout?
Rich Megginson
rmeggins at redhat.com
Tue May 17 15:33:45 UTC 2016
On 05/17/2016 08:18 AM, Rob Crittenden wrote:
> John Duino wrote:
>> Is there a (relatively easy) way to determine what is causing a user
>> account to be locked out? The admin account on our 'primary' ipa host is
>> locked out frequently, but somewhat randomly; sometimes it will be less
>> than 5 minutes it is available, and other times several hours.
>>
>> ipa user-status admin will show something like:
>> Failed logins: 6
>> Last successful authentication: 20160516214142Z
>> Last failed authentication: 20160516224718Z
>> Time now: 2016-05-16T22:52:00Z
>>
>> ipa user-unlock admin does unlock it.
>>
>> But parsing through the various logs on the affected host doesn't give
>> me what I need to know, primarily, which host(s) are trying to access
>> admin and causing it to lock.
>>
>> FreeIPA 4.2.0 on CentOS 7.2.1511
>
> I think you'd need to poke around in the KDC and 389-ds access log to
> find the auth attempts. I guess I'd look for PREAUTH_FAILED in
> /var/log/krb5kdc.log and look for err=49 in the 389-ds logs and then
> correlate the conn value with a BIND to see who was authenticating.
For 389 you can use the logconv.pl tool
>
> rob
>
More information about the Freeipa-users
mailing list