On ke, 11 heinä 2018, skrawczenko--- via FreeIPA-users wrote:
Unfortunately, can't see anything suspicious in krb5kdc.log
Multiple hosts request TGT in NEEDED_PREAUTH:host/<hostname> - ISSUE dialogs.
No errors and 'admin' is not encountered anywhere.
I'm having a concern that older machines could have been enrolled (ipa-client) with
Could you suggest where i can check this setting on the client machines and modify if
When machine is enrolled as admin, there is no place those admin
credentials are stored anywhere. So that shouldn't be an issue.
However, if admin account is still locked out, you have two sources for
- KDC locking out for invalid TGTs
- LDAP servers locking out for invalid LDAP BIND requests.
As you are saying it is not the former, may be it is the latter?
You can use
egrep '(BIND.*dn=\"|RESULT.*dn=\"|RESULT err=49)'
to pull out all authentication requests, successful or not, from LDAP
server access log. For successful requests 'RESULT ' entry would have
'dn="some-dn"' while for unsuccessful ones BIND entries will have
DN value. Each entry has 'conn=XYZ' property which show an id of a
connection performed by a client and a first line with that conn=XYZ id
would also have IP address of the client.
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland