Bug 785864

Summary: Users Failed Login attempts are not iterating the counter
Product: Red Hat Enterprise Linux 6 Reporter: Jenny Severance <jgalipea>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.3CC: mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-1.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:31:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jenny Severance 2012-01-30 19:42:37 UTC 
Description of problem:


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Verify Failure Counter Iteration
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password
:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   FAIL   ] :: User's failed counter is NOT as expected.  Got: [0] Expected: [1] 
:: [   LOG    ] :: ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password
:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   FAIL   ] :: User's failed counter is NOT as expected.  Got: [0] Expected: [2] 
:: [   LOG    ] :: ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password
:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   FAIL   ] :: User's failed counter is NOT as expected.  Got: [0] Expected: [3] 
:: [   LOG    ] :: ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password
:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   FAIL   ] :: User's failed counter is NOT as expected.  Got: [0] Expected: [4] 
:: [   LOG    ] :: ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password
:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   FAIL   ] :: User's failed counter is NOT as expected.  Got: [0] Expected: [5] 
:: [   LOG    ] :: Duration: 23s
:: [   LOG    ] :: Assertions: 10 good, 5 bad
:: [   FAIL   ] :: RESULT: Verify Failure Counter Iteration

# kinit jenny
Password for jenny: 
kinit: Password incorrect while getting initial credentials


# ipa user-show --all jenny
  dn: uid=jenny,cn=users,cn=accounts,dc=testrelm,dc=com
  User login: jenny
  First name: Jenny
  Last name: Galipeau
  Full name: Jenny Galipeau
  Display name: Jenny Galipeau
  Initials: JG
  Home directory: /home/jenny
  GECOS field: Jenny Galipeau
  Login shell: /bin/sh
  Kerberos principal: jenny
  UID: 809400167
  GID: 809400167
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
  ipauniqueid: 3c26ebd2-4b51-11e1-8ed9-525400d5df12
  krbextradata: AAJM8CZPa2FkbWluZEBURVNUUkVMTS5DT00A
  krblastpwdchange: 20120130193228Z
  krbloginfailedcount: 0   <================================================
  krbpasswordexpiration: 20120429193228Z
  krbpwdpolicyreference: cn=global_policy,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com
  krbticketflags: 128
  mepmanagedentry: cn=jenny,cn=groups,cn=accounts,dc=testrelm,dc=com
  objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, mepOriginEntry


# ssh -l jenny localhost
jenny@localhost's password: 
Permission denied, please try again.
jenny@localhost's password: 
Permission denied, please try again.
jenny@localhost's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

# ipa user-show --all jenny
  dn: uid=jenny,cn=users,cn=accounts,dc=testrelm,dc=com
  User login: jenny
  First name: Jenny
  Last name: Galipeau
  Full name: Jenny Galipeau
  Display name: Jenny Galipeau
  Initials: JG
  Home directory: /home/jenny
  GECOS field: Jenny Galipeau
  Login shell: /bin/sh
  Kerberos principal: jenny
  UID: 809400167
  GID: 809400167
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
  ipauniqueid: 3c26ebd2-4b51-11e1-8ed9-525400d5df12
  krbextradata: AAJM8CZPa2FkbWluZEBURVNUUkVMTS5DT00A
  krblastpwdchange: 20120130193228Z
  krbloginfailedcount: 0  <===================================================
  krbpasswordexpiration: 20120429193228Z
  krbpwdpolicyreference: cn=global_policy,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com
  krbticketflags: 128
  mepmanagedentry: cn=jenny,cn=groups,cn=accounts,dc=testrelm,dc=com
  objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, mepOriginEntry

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-101.20120127T0607zgit6863b8f.el6.x86_64

How reproducible:


Steps to Reproduce:
1. see description
2.
3.
  
Actual results:
This is a regression

Expected results:


Additional info:
Comment 1 Martin Kosek 2012-01-31 16:11:06 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2334
Comment 2 Rob Crittenden 2012-02-16 20:42:55 UTC 
Fixed upstream

master: 651f9324735d0680c6a56246616932459e15b99d

ipa-2-2: 5a087e65e24090ee35153ca183206b2d97748c3a
Comment 5 Jenny Severance 2012-03-12 18:56:04 UTC 
verified ::



::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Verify Failure Counter Iteration
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

spawn /usr/bin/kinit -V user1
Using default cache: /tmp/krb5cc_0
Using principal: user1
Password for user1: 
kinit: Password incorrect while getting initial credentials
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
:: [14:41:14] ::  ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password
kdestroy: No credentials cache found while destroying cache
spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [14:41:16] ::  kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   PASS   ] :: User's failed counter is as expected: [1]
spawn /usr/bin/kinit -V user1
Using default cache: /tmp/krb5cc_0
Using principal: user1
Password for user1: 
kinit: Password incorrect while getting initial credentials
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
:: [14:41:21] ::  ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password
kdestroy: No credentials cache found while destroying cache
spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [14:41:22] ::  kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   PASS   ] :: User's failed counter is as expected: [2]
spawn /usr/bin/kinit -V user1
Using default cache: /tmp/krb5cc_0
Using principal: user1
Password for user1: 
kinit: Password incorrect while getting initial credentials
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
:: [14:41:27] ::  ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password
kdestroy: No credentials cache found while destroying cache
spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [14:41:29] ::  kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   PASS   ] :: User's failed counter is as expected: [3]
spawn /usr/bin/kinit -V user1
Using default cache: /tmp/krb5cc_0
Using principal: user1
Password for user1: 
kinit: Password incorrect while getting initial credentials
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
:: [14:41:34] ::  ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password
kdestroy: No credentials cache found while destroying cache
spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [14:41:35] ::  kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   PASS   ] :: User's failed counter is as expected: [4]
spawn /usr/bin/kinit -V user1
Using default cache: /tmp/krb5cc_0
Using principal: user1
Password for user1: 
kinit: Password incorrect while getting initial credentials
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
:: [14:41:40] ::  ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password
kdestroy: No credentials cache found while destroying cache
spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [14:41:42] ::  kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   PASS   ] :: User's failed counter is as expected: [5]


version ::

ipa-server-2.2.0-3.el6.x86_64
Comment 7 Martin Kosek 2012-04-24 11:33:19 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 9 errata-xmlrpc 2012-06-20 13:31:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html