|Summary:||User account locked after only 1 password mistype with domain authentication|
|Product:||Red Hat Enterprise Linux 6||Reporter:||Eri Ramos Bastos <eri.bastos>|
|Component:||krb5||Assignee:||Nalin Dahyabhai <nalin>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Zbysek MRAZ <zmraz>|
|Version:||6.0||CC:||dpal, ebenes, jplans|
|Fixed In Version:||krb5-1.7.1-1||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2010-11-10 21:01:05 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Eri Ramos Bastos 2010-05-03 15:03:29 UTC
Description of problem: A user trying to login to the system with a domain account* will get locked out after a single mistyped password. *Microsoft Active Directory Domain, using Microsoft Identity Management for UNIX Version-Release number of selected component (if applicable): [root@crash log]# cat /etc/redhat-release Red Hat Enterprise Linux release 6.0 Beta (Santiago) [root@crash log]# rpm -qa pam* pam_passwdqc-1.0.5-5.el6.i686 pam_pkcs11-0.5.3-31.el6.i686 pam-1.1.1-2.el6.i686 pam_ldap-185-1.el6.i686 pam_krb5-2.3.10-2.el6.i686 How reproducible: Tested environment: - Windows 2003 R2 SP2 - Microsoft Identity Management for UNIX 5.2.3790.0 - RHEL 6.0 Beta Steps to Reproduce: 1. ssh to the RHEL 6 Box 2. Mistype your password once Actual results: User gets the account locked Expected results: User should be able to try the password as many times as configured at the domain level before being locked out. Additional info: 1- This won't happen with RHEL 4 or RHEL 5 2- Log file bellow: May 3 11:31:48 crash sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=workstation-name user=first.last May 3 11:31:48 crash sshd: pam_krb5: authentication fails for 'first.last' (first.last@DOMAIN.NAME): User not known to the underlying authentication module (Clients credentials have been revoked) May 3 11:31:51 crash sshd: Failed password for first.last from 126.96.36.199 port 39778 ssh2
Comment 1 Tomas Mraz 2010-05-03 15:43:04 UTC
This is probably some problem in pam_krb5. Or in your configuration of it. The user is locked out forever so you can't log in even after reconnecting?
Comment 2 Eri Ramos Bastos 2010-05-03 15:51:54 UTC
Yes, account gets locked until an administrator goes to a domain controller and uncheck the "Account is locket out" under the user's properties. Here is how I configure the domain authentication in all servers*: authconfig --enablecache --enablenis --enableshadow --enablekrb5 \ --enablelocauthorize --nisdomain=DomainName --nisserver=domain.name \ --krb5realm=DOMAIN.NAME --krb5kdc=domain.name \ --krb5adminserver=domain.name --update *Except RHEL 4, which does not have the option --update. Everything else is the same.
Comment 4 Nalin Dahyabhai 2010-05-03 16:31:06 UTC
Is this with krb5-libs 1.7? I ask because this was a known problem in 1.7 (bug #542687, bug #554351), but it should be fixed in any later version, including versions that hit the repository after beta 1. If the client is running something later than 1.7, do you have information on what the domain controller's lockout policy is, particularly if they've been changed from the factory defaults?
Comment 5 Eri Ramos Bastos 2010-05-03 16:43:59 UTC
Yes, looks like we are talking about the same bug. [root@crash ~]# rpm -qa krb* krb5-devel-1.7-18.el6.i686 krb5-libs-1.7-18.el6.i686 krb5-workstation-1.7-18.el6.i686 I should have included Fedora bugs on my search when I was looking for this problem. Sorry about that.
Comment 6 RHEL Program Management 2010-05-03 17:05:03 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion.
Comment 7 Nalin Dahyabhai 2010-05-03 18:15:45 UTC
No worries. Now we have one that'll show up when people search this product. Trees after beta 1 should have 1.7.1 or 1.8 or 1.8.1 in them, so I'll move this to modified.
Comment 11 email@example.com 2010-11-10 21:01:05 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you.