Janelle wrote: > On 10/5/15 7:39 AM, Rob Crittenden wrote: >> Torsten Harenberg wrote: >>> Hi Janelle, >>> >>> Am 04.10.2015 um 19:25 schrieb Janelle: >>>> Just wondering if anyone knows why this happens from time to time on >>>> servers: >>>> >>>> $ kinit admin >>>> kinit: Clients credentials have been revoked while getting initial >>>> credentials >>>> >>>> there are no failed logins to the admin account - not even any login >>>> attempts, so it is not like someone is getting the account locked out. >>>> Just curious if anyone else has seen in. With 16 masters, it occurs >>>> randomly on some hosts, but eventually clears either on its own or with >>>> a restart of IPA. However, I just restarted IPA on this server and >>>> after >>>> about 2-3 minutes it works again. >>>> >>> I am seeing the same, see my mail "kinit admin not working anymore >>> (LOCKED_OUT: Clients credentials have been revoked)" from 03-SEPT. >>> Actually, wasn't it you who wanted to open a ticket? >>> >>> Have a nice evening, >>> >>> Torsten >>> >> When you see this run `ipa user-status admin` and `ipa pwpolicy-show >> --user=admin` and provide that so we can potentially see what is going >> on. >> >> rob >> > I am curious -- if you have 16 masters, but this only happens once in > awhile on 1 or 2 servers, how does the pwpolicy fit in? I am trying to > understand the thinking of where you are going?? I will for sure do this > the next time it happens, but I want to understand logic?
Lockout is per-master because the failed auth count and successful login date is not replicated due to performance issues. The user-status command will collect the lockout attributes from each server, but it doesn't do the calculations, so the pwpolicy is needed as well in order to figure out whether on a given master the user is locked out. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
