Hey Satish,
had the same issue, when initially installing and integrating FreeIPA - in my case was an enrolled host which had its ssh port opened, which led to numerous requests for authentication for user admin. I would suggest a couple of measures: closing ssh ports and allowing only authentication with keys, increasing lock attempts for logging in or (I personally do not use it) disable the locking IPA wide.
On Thu, May 9, 2024 at 9:10 PM Satish Patel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Folks,
I have noticed my admin account keeps getting locked out because of failed attempts but I don't know from where and how. I tried to dig into logs but didn't find any trace of attempt.
$ ipa-replica-manage list Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more information Unexpected error: Server is unwilling to perform: Too many failed logins.
$ ipa user-show --all admin dn: uid=admin,cn=users,cn=accounts,dc=foo,dc=com User login: admin Last name: Administrator Full name: Administrator Home directory: /home/admin GECOS: Administrator Login shell: /bin/bash Principal alias: admin@FOO.COM UID: 1000 GID: 1000 Account disabled: False Preserved user: False Password: True Member of groups: admins, trust admins, no-pwd-policy Kerberos keys available: True ipauniqueid: 97f5d270-d355-11e6-a809-000c29712463 krbextradata: AALmz2BfYWRtaW5AVklWT1guQ09NAA== krblastadminunlock: 20240509172126Z krblastpwdchange: 20200915142958Z krblastsuccessfulauth: 20240509172620Z krbloginfailedcount: 0 krbpwdpolicyreference: cn=no-pwd-policy,cn=FOO.COM ,cn=kerberos,dc=foo,dc=com krbticketflags: 128 objectclass: top, person, posixaccount, krbprincipalaux, krbticketpolicyaux, inetuser, ipaobject, ipasshuser, ipaSshGroupOfPubKeys
After running following command it do unlock but in few minutes it will get lock again
$ ipa user-unlock admin
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue