Thank you for the responds, 

This started when I was trying to add a RockyLinux 8 replica to CentOS7 Master node. Replica add process failed but after that this new issue started on admin account lockout. I did remove bad replica but admin account getting locked.  

What do you mean ssh port close? How can I manage this server without SSH? 

How do I disable locking of admin accounts? Do you have command handy because I tried google and there are lots of other info but not password policy related. 



On Fri, May 10, 2024 at 2:00 AM Yavor Marinov <ymarinov@gmail.com> wrote:
Hey Satish,

had the same issue, when initially installing and integrating FreeIPA - in my case was an enrolled host which had its ssh port opened, which led to numerous requests for authentication for user admin.
I would suggest a couple of measures: closing ssh ports and allowing only authentication with keys, increasing lock attempts for logging in or (I personally do not use it) disable the locking IPA wide.

On Thu, May 9, 2024 at 9:10 PM Satish Patel via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Folks,

I have noticed my admin account keeps getting locked out because of failed attempts but I don't know from where and how. I tried to dig into logs but didn't find any trace of attempt. 

$ ipa-replica-manage list
Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more information
Unexpected error: Server is unwilling to perform: Too many failed logins.

$ ipa user-show --all admin
  dn: uid=admin,cn=users,cn=accounts,dc=foo,dc=com
  User login: admin
  Last name: Administrator
  Full name: Administrator
  Home directory: /home/admin
  GECOS: Administrator
  Login shell: /bin/bash
  Principal alias: admin@FOO.COM
  UID: 1000
  GID: 1000
  Account disabled: False
  Preserved user: False
  Password: True
  Member of groups: admins, trust admins, no-pwd-policy
  Kerberos keys available: True
  ipauniqueid: 97f5d270-d355-11e6-a809-000c29712463
  krbextradata: AALmz2BfYWRtaW5AVklWT1guQ09NAA==
  krblastadminunlock: 20240509172126Z
  krblastpwdchange: 20200915142958Z
  krblastsuccessfulauth: 20240509172620Z
  krbloginfailedcount: 0
  krbpwdpolicyreference: cn=no-pwd-policy,cn=FOO.COM,cn=kerberos,dc=foo,dc=com
  krbticketflags: 128
  objectclass: top, person, posixaccount, krbprincipalaux, krbticketpolicyaux, inetuser, ipaobject, ipasshuser, ipaSshGroupOfPubKeys


After running following command it do unlock but in few minutes it will get lock again 

$ ipa user-unlock admin
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue