Hey Satish, had the same issue, when initially installing and integrating FreeIPA - in my case was an enrolled host which had its ssh port opened, which led to numerous requests for authentication for user admin. I would suggest a couple of measures: closing ssh ports and allowing only authentication with keys, increasing lock attempts for logging in or (I personally do not use it) disable the locking IPA wide.
On Thu, May 9, 2024 at 9:10 PM Satish Patel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Folks, > > I have noticed my admin account keeps getting locked out because of failed > attempts but I don't know from where and how. I tried to dig into logs but > didn't find any trace of attempt. > > $ ipa-replica-manage list > Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more > information > Unexpected error: Server is unwilling to perform: Too many failed logins. > > $ ipa user-show --all admin > dn: uid=admin,cn=users,cn=accounts,dc=foo,dc=com > User login: admin > Last name: Administrator > Full name: Administrator > Home directory: /home/admin > GECOS: Administrator > Login shell: /bin/bash > Principal alias: ad...@foo.com > UID: 1000 > GID: 1000 > Account disabled: False > Preserved user: False > Password: True > Member of groups: admins, trust admins, no-pwd-policy > Kerberos keys available: True > ipauniqueid: 97f5d270-d355-11e6-a809-000c29712463 > krbextradata: AALmz2BfYWRtaW5AVklWT1guQ09NAA== > krblastadminunlock: 20240509172126Z > krblastpwdchange: 20200915142958Z > krblastsuccessfulauth: 20240509172620Z > krbloginfailedcount: 0 > krbpwdpolicyreference: cn=no-pwd-policy,cn=FOO.COM > ,cn=kerberos,dc=foo,dc=com > krbticketflags: 128 > objectclass: top, person, posixaccount, krbprincipalaux, > krbticketpolicyaux, inetuser, ipaobject, ipasshuser, ipaSshGroupOfPubKeys > > > After running following command it do unlock but in few minutes it will > get lock again > > $ ipa user-unlock admin > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
