[Freeipa-users] How to determine cause/source of user lockout?
Prasun Gera
prasun.gera at gmail.com
Tue May 17 19:11:42 UTC 2016
If it's the admin account, there would be a pretty good likelihood of
bruteforce attempts if your server is on the internet. One option is to
rename it to something else.
On 17 May 2016 11:36 a.m., "Rich Megginson" <rmeggins at redhat.com> wrote:
> On 05/17/2016 08:18 AM, Rob Crittenden wrote:
>
>> John Duino wrote:
>>
>>> Is there a (relatively easy) way to determine what is causing a user
>>> account to be locked out? The admin account on our 'primary' ipa host is
>>> locked out frequently, but somewhat randomly; sometimes it will be less
>>> than 5 minutes it is available, and other times several hours.
>>>
>>> ipa user-status admin will show something like:
>>> Failed logins: 6
>>> Last successful authentication: 20160516214142Z
>>> Last failed authentication: 20160516224718Z
>>> Time now: 2016-05-16T22:52:00Z
>>>
>>> ipa user-unlock admin does unlock it.
>>>
>>> But parsing through the various logs on the affected host doesn't give
>>> me what I need to know, primarily, which host(s) are trying to access
>>> admin and causing it to lock.
>>>
>>> FreeIPA 4.2.0 on CentOS 7.2.1511
>>>
>>
>> I think you'd need to poke around in the KDC and 389-ds access log to
>> find the auth attempts. I guess I'd look for PREAUTH_FAILED in
>> /var/log/krb5kdc.log and look for err=49 in the 389-ds logs and then
>> correlate the conn value with a BIND to see who was authenticating.
>>
>
> For 389 you can use the logconv.pl tool
>
>
>> rob
>>
>>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160517/b1883042/attachment.htm>
More information about the Freeipa-users
mailing list