Janelle wrote:
You will find, if you check in the ns-slapd "errors" log that this
server may no longer be handling replication correctly.
Look in /var/log/dirsrv/slapd-INSTANCE..../errors
This probably doesn't have anything to do with replication. Lockout is
per-master because failed (and successful) logins are not replicated due
to the performance issues that would bring. Image 500 people all logging
in at the same time in the morning how busy all the masters would be
replicating the successes and failures.
So this is a perfectly reasonable scenario where on one master the admin
has violated the password lockout policy and is locked out but can still
log in to other masters.
ipa user-status <user> will show the lockout attributes by master. And
ipa user-unlock <user> will unlock them.
rob
Look for errors where replication is not starting correctly because of
credential problems. You may have to re-init this replica.
The reason "admin" is locked out is that something gets screwed up with
the keytab file that was originally installed (I have not found the
cause yet, only experienced the exact same thing)
Once the keytab file is messed up, others servers can't authenticate and
therefore the ADMIN account gets locked out. If you restart the server,
it will clear for a little while, but go rgiht back to being locked out.
Solution - delete the replica and recreate.
~J
On 9/3/15 2:08 AM, Torsten Harenberg wrote:
Dear all,
I cannot get an "admin" kerberos token anymore on our main IPA server:
[root@ipa log]# kinit admin
kinit: Clients credentials have been revoked while getting initial
credentials
Sep 03 11:02:30 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: LOCKED_OUT:
[email protected] for
krbtgt/[email protected], Clients
credentials have been revoked
also login via HTTP is not possible anymore:
Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: NEEDED_PREAUTH:
HTTP/[email protected] for
krbtgt/[email protected], Additional
pre-authentication required
Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
closing down fd 11
Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: ISSUE: authtime
1441271092, etypes {rep=18 tkt=18 ses=18},
HTTP/[email protected] for
krbtgt/[email protected]
Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
closing down fd 11
Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: LOCKED_OUT:
[email protected] for
krbtgt/[email protected], Clients
credentials have been revoked
while the same works on the secondary server.
I read
http://web.mit.edu/kerberos/krb5-devel/doc/admin/lockout.html
but this did not give me a clue how to get out of this.
I am pretty sure that I never entered a wrong password, but of course
someone could have tried to log in on the Web interface.
Any idea how this can be resolved?
Kind regards
Torsten
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
