On Sunday, June 22, 2025 11:08:43 AM Central Daylight Time Anthony Messina via FreeIPA-users wrote: > With FreeIPA 4.12.2-14.fc42 (and likely before), I have two hosts created in > February 2025 that trigger the following: > ns-slapd: ALERT - ipalockout_postop - User > fqdn=ws1.example.com,cn=computers,cn=accounts,dc=example,dc=com is locked > out. Too many failed authentication attempts. > They were enrolled using OTP just like my other hosts in the past have been. > They are the only two hosts in my dual-master FreeIPA setup with multiple > hosts that show krbLastFailedAuth and krbLoginFailedCount: > ~]# ipa host-show ws1 --all --raw > ... > has_password: FALSE > has_keytab: TRUE > krbLastFailedAuth: 20250217182326Z > krbLastPwdChange: 20250216234605Z > krbLoginFailedCount: 0 > > How do they get this way and is there a way to "unlock" these hosts? > Thanks. This logging appears to be related to the change at https://github.com/freeipa/freeipa/commit/dfcc25525ac8f2be4a5ecd8b7bcac8f282b9c4cd
and the presence of either krbLoginFailedCount and/or krbLastFailedAuth, regardless of their content. For now, I have removed those attributes from the two host fqdn entries on each replica. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
