Bug 810978

Summary: Password Policy Failure Counter Stops working, max failures never reached and user never gets locked out
Product: Red Hat Enterprise Linux 6 Reporter: Jenny Severance <jgalipea>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED NOTABUG QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.3CC: mkosek
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-20 11:35:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jenny Severance 2012-04-09 19:09:44 UTC 
Description of problem:

It appears that the failure counter stops working and max failures are never getting reached and user therefore never gets locked out.

The following test is setting the global password policy max failures to "3".

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Max Failures reached and users credentials revoked
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   PASS   ] :: Setting maxfail to value of [3]
:: [   PASS   ] :: Max failures correct [3]
:: [   LOG    ] :: ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password.  Attempt [1]
:: [   LOG    ] :: ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password.  Attempt [2]
:: [   LOG    ] :: ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password.  Attempt [3]
:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   FAIL   ] :: User's failed counter is NOT as expected.  Got: [1] Expected: [3] 
:: [   LOG    ] :: kinit as user1 with password Secret123 was successful.
:: [   FAIL   ] :: Kinit as user with valid password. Max failures reached (Expected 1, got 0)
:: [   FAIL   ] :: File '/tmp/kinitrevoked.txt' should contain 'Clients credentials have been revoked while getting initial credentials' 
:: [   LOG    ] :: Duration: 18s
:: [   LOG    ] :: Assertions: 7 good, 3 bad
:: [   FAIL   ] :: RESULT: Max Failures reached and users credentials revoked

The following test is setting the group policy for which the user is a member max failures to "3"


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Group Failures Policy Enforcement - Lock Out
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: ERROR: kinit as grpuser with password BADPWD failed.
:: [   PASS   ] :: Kinit as group policy user with invalid password
:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   PASS   ] :: User's failed counter is as expected: [1]
:: [   LOG    ] :: ERROR: kinit as grpuser with password BADPWD failed.
:: [   PASS   ] :: Kinit as group policy user with invalid password
:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   PASS   ] :: User's failed counter is as expected: [2]
:: [   LOG    ] :: ERROR: kinit as grpuser with password BADPWD failed.
:: [   PASS   ] :: Kinit as group policy user with invalid password
:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   FAIL   ] :: User's failed counter is NOT as expected.  Got: [1] Expected: [3] 
:: [   LOG    ] :: kinit as grpuser with password Secret123 was successful.
:: [   FAIL   ] :: Kinit as user with valid password. Max failures reached (Expected 1, got 0)
:: [   FAIL   ] :: File '/tmp/kinitrevoked.txt' should contain 'Clients credentials have been revoked while getting initial credentials' 
:: [   LOG    ] :: Sleep for lock out duration
:: [   LOG    ] :: kinit as grpuser with password Secret123 was successful.
:: [   PASS   ] :: Lock out period over - kinit should be successful
:: [   LOG    ] :: Duration: 53s
:: [   LOG    ] :: Assertions: 9 good, 3 bad
:: [   FAIL   ] :: RESULT: Group Failures Policy Enforcement - Lock Out


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-8.el6.x86_64

How reproducible:
consistent with 2.2.0-8

Steps to Reproduce:
1. see description
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 Rob Crittenden 2012-04-09 20:47:33 UTC 
I'm not able to reproduce this. Can you provide more information on what the current password policy is?
Comment 3 Jenny Severance 2012-04-10 17:03:33 UTC 
Here is a better log of events ... showing the password policy settings


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Max Failures reached and users credentials revoked
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [11:49:31] ::  kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 3
  Failure reset interval: 60
  Lockout duration: 600
:: [   PASS   ] :: Setting maxfail to value of [3]
:: [   PASS   ] :: Max failures correct [3]
spawn /usr/bin/kinit -V user1
Using default cache: /tmp/krb5cc_0
Using principal: user1
Password for user1: 
kinit: Password incorrect while getting initial credentials
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
:: [11:49:43] ::  ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password.  Attempt [1]
kdestroy: No credentials cache found while destroying cache
spawn /usr/bin/kinit -V user1
Using default cache: /tmp/krb5cc_0
Using principal: user1
Password for user1: 
kinit: Password incorrect while getting initial credentials
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
:: [11:49:45] ::  ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password.  Attempt [2]
kdestroy: No credentials cache found while destroying cache
spawn /usr/bin/kinit -V user1
Using default cache: /tmp/krb5cc_0
Using principal: user1
Password for user1: 
kinit: Password incorrect while getting initial credentials
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
:: [11:49:46] ::  ERROR: kinit as user1 with password BADPWD failed.
:: [   PASS   ] :: Kinit as user with invalid password.  Attempt [3]
kdestroy: No credentials cache found while destroying cache
spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [11:49:48] ::  kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   FAIL   ] :: User's failed counter is NOT as expected.  Got: [1] Expected: [3] 
:: [   FAIL   ] :: Kinit as user with valid password. Max failures reached (Expected 1, got 0)
:: [   FAIL   ] :: File '/tmp/kinitrevoked.txt' should contain 'Clients credentials have been revoked while getting initial credentials' 
'0a86d246-1002-4043-b102-5600ca6ad06d'
Max-Failures-reached-and-users-credentials-revoked result: FAIL
Comment 4 Dmitri Pal 2012-04-13 18:56:37 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2639
Comment 5 Jenny Severance 2012-04-13 19:36:01 UTC 
I believe this may be a timing issue with my tests and the time outs.  I am probably going to close this as not a bug ... but want to wait until I am sure.
Comment 6 Jenny Severance 2012-04-20 11:35:56 UTC 
This is due to interval timeouts before test is complete, fixing tests and closing not a bug