Bug 588366

Summary: User account locked after only 1 password mistype with domain authentication
Product: Red Hat Enterprise Linux 6 Reporter: Eri Ramos Bastos <eri.bastos>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact: Zbysek MRAZ <zmraz>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: dpal, ebenes, jplans
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: krb5-1.7.1-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-10 21:01:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Eri Ramos Bastos 2010-05-03 15:03:29 UTC
Description of problem:

A user trying to login to the system with a domain account* will get locked out after a single mistyped password.

*Microsoft Active Directory Domain, using Microsoft Identity Management for UNIX

Version-Release number of selected component (if applicable):

[root@crash log]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 6.0 Beta (Santiago)
[root@crash log]# rpm -qa pam*

How reproducible:
Tested environment:

- Windows 2003 R2 SP2 
- Microsoft Identity Management for UNIX 5.2.3790.0
- RHEL 6.0 Beta

Steps to Reproduce:
1. ssh to the RHEL 6 Box
2. Mistype your password once

Actual results:
User gets the account locked

Expected results:
User should be able to try the password as many times as configured at the domain level before being locked out.

Additional info:

1- This won't happen with RHEL 4 or RHEL 5
2- Log file bellow:

May  3 11:31:48 crash sshd[21199]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=workstation-name  user=first.last
May  3 11:31:48 crash sshd[21199]: pam_krb5[21199]: authentication fails for 'first.last' (first.last@DOMAIN.NAME): User not known to the underlying authentication module (Clients credentials have been revoked)
May  3 11:31:51 crash sshd[21199]: Failed password for first.last from port 39778 ssh2

Comment 1 Tomas Mraz 2010-05-03 15:43:04 UTC
This is probably some problem in pam_krb5. Or in your configuration of it.

The user is locked out forever so you can't log in even after reconnecting?

Comment 2 Eri Ramos Bastos 2010-05-03 15:51:54 UTC
Yes, account gets locked until an administrator goes to a domain controller and uncheck the "Account is locket out" under the user's properties.

Here is how I configure the domain authentication in all servers*:

authconfig --enablecache --enablenis --enableshadow --enablekrb5 \
--enablelocauthorize --nisdomain=DomainName --nisserver=domain.name \
--krb5realm=DOMAIN.NAME --krb5kdc=domain.name \
--krb5adminserver=domain.name --update

*Except RHEL 4, which does not have the option --update. Everything else is the same.

Comment 4 Nalin Dahyabhai 2010-05-03 16:31:06 UTC
Is this with krb5-libs 1.7?  I ask because this was a known problem in 1.7 (bug #542687, bug #554351), but it should be fixed in any later version, including versions that hit the repository after beta 1.

If the client is running something later than 1.7, do you have information on what the domain controller's lockout policy is, particularly if they've been changed from the factory defaults?

Comment 5 Eri Ramos Bastos 2010-05-03 16:43:59 UTC
Yes, looks like we are talking about the same bug.

[root@crash ~]# rpm -qa krb*

I should have included Fedora bugs on my search when I was looking for this problem. Sorry about that.

Comment 6 RHEL Program Management 2010-05-03 17:05:03 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for

Comment 7 Nalin Dahyabhai 2010-05-03 18:15:45 UTC
No worries.  Now we have one that'll show up when people search this product.  Trees after beta 1 should have 1.7.1 or 1.8 or 1.8.1 in them, so I'll move this to modified.

Comment 11 releng-rhel@redhat.com 2010-11-10 21:01:05 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.