What do you mean ssh port close? How can I manage this server without
SSH?
With close i meant some firewal - iptables for example
How do I disable locking of admin accounts? Do you have command handy
because I tried google and there are lots of other info but not password
policy related.
Check FreeIPA's official documentation
On Fri, May 10, 2024 at 2:38 PM Satish Patel <satish.txt(a)gmail.com> wrote:
> Thank you for the responds,
>
> This started when I was trying to add a RockyLinux 8 replica to CentOS7
> Master node. Replica add process failed but after that this new issue
> started on admin account lockout. I did remove bad replica but admin
> account getting locked.
>
> What do you mean ssh port close? How can I manage this server without SSH?
>
How do I disable locking of admin accounts? Do you have command handy
> because I tried google and there are lots of other info but not password
> policy related.
>
>
>
> On Fri, May 10, 2024 at 2:00 AM Yavor Marinov <ymarinov(a)gmail.com> wrote:
>
>> Hey Satish,
>>
>> had the same issue, when initially installing and integrating FreeIPA -
>> in my case was an enrolled host which had its ssh port opened, which led to
>> numerous requests for authentication for user admin.
>> I would suggest a couple of measures: closing ssh ports and allowing only
>> authentication with keys, increasing lock attempts for logging in or (I
>> personally do not use it) disable the locking IPA wide.
>>
>> On Thu, May 9, 2024 at 9:10 PM Satish Patel via FreeIPA-users <
>> freeipa-users(a)lists.fedorahosted.org> wrote:
>>
>>> Folks,
>>>
>>> I have noticed my admin account keeps getting locked out because of
>>> failed attempts but I don't know from where and how. I tried to dig into
>>> logs but didn't find any trace of attempt.
>>>
>>> $ ipa-replica-manage list
>>> Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more
>>> information
>>> Unexpected error: Server is unwilling to perform: Too many failed logins.
>>>
>>> $ ipa user-show --all admin
>>> dn: uid=admin,cn=users,cn=accounts,dc=foo,dc=com
>>> User login: admin
>>> Last name: Administrator
>>> Full name: Administrator
>>> Home directory: /home/admin
>>> GECOS: Administrator
>>> Login shell: /bin/bash
>>> Principal alias: admin(a)FOO.COM
>>> UID: 1000
>>> GID: 1000
>>> Account disabled: False
>>> Preserved user: False
>>> Password: True
>>> Member of groups: admins, trust admins, no-pwd-policy
>>> Kerberos keys available: True
>>> ipauniqueid: 97f5d270-d355-11e6-a809-000c29712463
>>> krbextradata: AALmz2BfYWRtaW5AVklWT1guQ09NAA==
>>> krblastadminunlock: 20240509172126Z
>>> krblastpwdchange: 20200915142958Z
>>> krblastsuccessfulauth: 20240509172620Z
>>> krbloginfailedcount: 0
>>> krbpwdpolicyreference:
cn=no-pwd-policy,cn=FOO.COM
>>> ,cn=kerberos,dc=foo,dc=com
>>> krbticketflags: 128
>>> objectclass: top, person, posixaccount, krbprincipalaux,
>>> krbticketpolicyaux, inetuser, ipaobject, ipasshuser, ipaSshGroupOfPubKeys
>>>
>>>
>>> After running following command it do unlock but in few minutes it will
>>> get lock again
>>>
>>> $ ipa user-unlock admin
>>> --
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>> Do not reply to spam, report it:
>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>
>>