Thank you for the responds, This started when I was trying to add a RockyLinux 8 replica to CentOS7 Master node. Replica add process failed but after that this new issue started on admin account lockout. I did remove bad replica but admin account getting locked.
What do you mean ssh port close? How can I manage this server without SSH? How do I disable locking of admin accounts? Do you have command handy because I tried google and there are lots of other info but not password policy related. On Fri, May 10, 2024 at 2:00 AM Yavor Marinov <ymari...@gmail.com> wrote: > Hey Satish, > > had the same issue, when initially installing and integrating FreeIPA - in > my case was an enrolled host which had its ssh port opened, which led to > numerous requests for authentication for user admin. > I would suggest a couple of measures: closing ssh ports and allowing only > authentication with keys, increasing lock attempts for logging in or (I > personally do not use it) disable the locking IPA wide. > > On Thu, May 9, 2024 at 9:10 PM Satish Patel via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> Folks, >> >> I have noticed my admin account keeps getting locked out because of >> failed attempts but I don't know from where and how. I tried to dig into >> logs but didn't find any trace of attempt. >> >> $ ipa-replica-manage list >> Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more >> information >> Unexpected error: Server is unwilling to perform: Too many failed logins. >> >> $ ipa user-show --all admin >> dn: uid=admin,cn=users,cn=accounts,dc=foo,dc=com >> User login: admin >> Last name: Administrator >> Full name: Administrator >> Home directory: /home/admin >> GECOS: Administrator >> Login shell: /bin/bash >> Principal alias: ad...@foo.com >> UID: 1000 >> GID: 1000 >> Account disabled: False >> Preserved user: False >> Password: True >> Member of groups: admins, trust admins, no-pwd-policy >> Kerberos keys available: True >> ipauniqueid: 97f5d270-d355-11e6-a809-000c29712463 >> krbextradata: AALmz2BfYWRtaW5AVklWT1guQ09NAA== >> krblastadminunlock: 20240509172126Z >> krblastpwdchange: 20200915142958Z >> krblastsuccessfulauth: 20240509172620Z >> krbloginfailedcount: 0 >> krbpwdpolicyreference: cn=no-pwd-policy,cn=FOO.COM >> ,cn=kerberos,dc=foo,dc=com >> krbticketflags: 128 >> objectclass: top, person, posixaccount, krbprincipalaux, >> krbticketpolicyaux, inetuser, ipaobject, ipasshuser, ipaSshGroupOfPubKeys >> >> >> After running following command it do unlock but in few minutes it will >> get lock again >> >> $ ipa user-unlock admin >> -- >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
