On ke, 11 heinä 2018, skrawczenko--- via FreeIPA-users wrote:
Unfortunately, can't see anything suspicious in krb5kdc.log
Multiple hosts request TGT in NEEDED_PREAUTH:host/<hostname> - ISSUE dialogs.
No errors and 'admin' is not encountered anywhere.
I'm having a concern that older machines could have been enrolled (ipa-client) with
admin user.
Could you suggest where i can check this setting on the client machines and modify if
needed?
When machine is enrolled as admin, there is no place those admin
credentials are stored anywhere. So that shouldn't be an issue.
However, if admin account is still locked out, you have two sources for
possible lockouts:
- KDC locking out for invalid TGTs
- LDAP servers locking out for invalid LDAP BIND requests.
As you are saying it is not the former, may be it is the latter?
You can use
egrep '(BIND.*dn=\"|RESULT.*dn=\"|RESULT err=49)'
/var/log/dirsrv/slapd-$INSTANCE/access
to pull out all authentication requests, successful or not, from LDAP
server access log. For successful requests 'RESULT ' entry would have
'dn="some-dn"' while for unsuccessful ones BIND entries will have
actual
DN value. Each entry has 'conn=XYZ' property which show an id of a
connection performed by a client and a first line with that conn=XYZ id
would also have IP address of the client.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland