krbLoginFailedCount isn't reset following failed logins

Issue

krbLoginFailedCount is incremented on failed login, however after a period defined by "Failure reset interval", the counter should be reset on subsequent login attempts irrespective of whether the login is successful or not.

A. Configure a customized group password policy, assign it to the user ppolicy-user which belongs to the group ppolicy-group:

[root@ipareplica ~]# ipa pwpolicy-show --user=ppolicy-user
  Group: ppolicy-group
  Max lifetime (days): 90
  Max failures: 4
  Failure reset interval: 300

B. Check the value of the krbLoginFailedCount attribute from a IPA server:

[root@ipareplica ~]#  date;ipa user-show --all ppolicy-user --raw |grep krbLoginFailedCount
Thu 10 Aug 09:03:35 BST 2017
  krbLoginFailedCount: 0

C. Enter the user's password incorrectly twice from a IPA client:

$ ssh ppolicy-user@ipaclient date
Password: <WRONG password>
Password: <WRONG password>

D. Check that the counter has incremented on the IPA server:

[root@ipareplica ~]# date;ipa user-show --all ppolicy-user --raw |grep krbLoginFailedCount
Thu 10 Aug 09:03:54 BST 2017
  krbLoginFailedCount: 2

E. Wait for the "Failure reset interval" time to pass before incorrectly entering the user's password again from a IPA client:

$ sleep 400
$ date;ssh ppolicy-user@ipaclient 
Thu 10 Aug 09:13:02 BST 2017
Password: 
Password:

F. Repeat stepD:

[root@ipareplica ~]# date;ipa user-show --all ppolicy-user --raw |grep krbLoginFailedCount
Thu 10 Aug 09:13:18 BST 2017
  krbLoginFailedCount: 4   <<<<<<This should reset to 2 rather than increment!!