krbLoginFailedCount isn't reset following failed logins
Issue
krbLoginFailedCount is incremented on failed login, however after a period defined by "Failure reset interval", the counter should be reset on subsequent login attempts irrespective of whether the login is successful or not.
A. Configure a customized group password policy, assign it to the user ppolicy-user which belongs to the group ppolicy-group:
[root@ipareplica ~]# ipa pwpolicy-show --user=ppolicy-user
Group: ppolicy-group
Max lifetime (days): 90
Max failures: 4
Failure reset interval: 300
B. Check the value of the krbLoginFailedCount attribute from a IPA server:
[root@ipareplica ~]# date;ipa user-show --all ppolicy-user --raw |grep krbLoginFailedCount
Thu 10 Aug 09:03:35 BST 2017
krbLoginFailedCount: 0
C. Enter the user's password incorrectly twice from a IPA client:
$ ssh ppolicy-user@ipaclient date
Password: <WRONG password>
Password: <WRONG password>
D. Check that the counter has incremented on the IPA server:
[root@ipareplica ~]# date;ipa user-show --all ppolicy-user --raw |grep krbLoginFailedCount
Thu 10 Aug 09:03:54 BST 2017
krbLoginFailedCount: 2
E. Wait for the "Failure reset interval" time to pass before incorrectly entering the user's password again from a IPA client:
$ sleep 400
$ date;ssh ppolicy-user@ipaclient
Thu 10 Aug 09:13:02 BST 2017
Password:
Password:
F. Repeat stepD:
[root@ipareplica ~]# date;ipa user-show --all ppolicy-user --raw |grep krbLoginFailedCount
Thu 10 Aug 09:13:18 BST 2017
krbLoginFailedCount: 4 <<<<<<This should reset to 2 rather than increment!!
Environment
RHEL7.3
IPA
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
