Bug 824488
| Summary: | Add 'disable_last_success' and 'disable_lockout' to the ipadb.so dblibrary | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.3 | CC: | jgalipea, ksiddiqu, mgregg, mkosek, spoore, tlavigne |
| Target Milestone: | rc | ||
| Target Release: | 6.4 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.0.0-11.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: Identity Management Kerberos data back-end did not support any option to control automatic user log on attributes (last failed or successful authentication) which are updated with every authentication.
Consequence: Administrators with large deployments and a very high number of authentication events in their Identity Management realm cannot disable these automatic updates to avoid high number Directory Server modification events and thus many replication events which may degrade performance.
Fix: Identity Management Kerberos data back-end allows Administrator to either disable writing a timestamp of last successful user authentication or to disable completely writing back all lockout related data. This means lockout policies would stop working. Both options are available in Identity Management configuration plugin CLI or Web UI.
Result: Administrator can use these options to customize automatic Kerberos authentication attribute update behavior.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 09:13:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 886216 | ||
|
Description
Dmitri Pal
2012-05-23 15:13:07 UTC
fixed upstream. ipa-2-2: 97e362681ff9c81d76b6b015467309f90e301bce master: f602ad270d06a0dd7f53c4aa6904d27daa07d4ae UI component for master only. master: 1fcbad4bcb6c3a98dc102c55bc17783ef7baff34 The "KDC:Disable Last Success" will disable writing back to ldap the last successful AS Request time (successful kinit) The "KDC:Disable Lockout" will disable completely writing back lockout related data. This means lockout policies will stop working. Please add information about how to disable and enable these and how to verify if they are enabled/disabled. These are set in the IPA configuration: ipa config-mod --ipaconfigstring="KDC:Disable Last Success" Disable Last Success causes the server to not write out krblastsuccessfulauth Disable Lockout disables lockout completely so doesn't update any of the lockout attributes: krblastsuccessfulauth, krbloginfailedcount and krblastfailedauth Did your kinit to usertest fail? This same test is working for me, though I only restart krb5kdc. [root@pacer conf.d]# kinit tuser1 [root@pacer conf.d]# ipa user-show --all tuser1|grep krblastsuccessfulauth krblastsuccessfulauth: 20121026140947Z [root@pacer conf.d]# kinit admin [root@pacer conf.d]# ipa config-mod --ipaconfigstring="KDC:Disable Last Success" [root@pacer conf.d]# service krb5kdc restart [root@pacer conf.d]# kinit tuser1 [root@pacer conf.d]# ipa user-show --all tuser1|grep krblastsuccessfulauth krblastsuccessfulauth: 20121026140947Z I think I've found the culprit. The lockout plugin can also add the krblastsuccessfulauth attribute. I was able to reproduce the problem, then I stopped dirsrv, disabled the ipa_lockout plugin, restarted and was not able to reproduce it any more. I saw similar. krblastsuccessfulauth was being updated until I disabled lockout, restart krb5kdc, disabled last success, restart krb5kdc. Then it stopped updating the timestamp. I'm assuming this isn't expected? Right, we need to make changes to the ipa_lockout plugin to honor these settings as well. Fixed upstream. The 389-ds ipa_lockout plugin now honors these two configuration options as well. master: 146da1b3269659cc92a444f85608820e044f8796 ipa-3-0: a149f01ab5babded6bf2a67c97142c1d82f7354f Verified. Version :: ipa-server-3.0.0-11.el6.x86_64 389-ds-base-1.2.11.15-6.el6.x86_64 Manual Test Results :: ########## setup [root@rhel6-2 ~]# ipa user-add bz824488 --first=f --last=l --password Password: Enter Password again to verify: --------------------- Added user "bz824488" --------------------- User login: bz824488 First name: f Last name: l Full name: f l Display name: f l Initials: fl Home directory: /home/bz824488 GECOS field: f l Login shell: /bin/sh Kerberos principal: bz824488 Email address: bz824488 UID: 1685400004 GID: 1685400004 Password: True Kerberos keys available: True [root@rhel6-2 ~]# kinit bz824488 Password for bz824488: Password expired. You must change it now. Enter new password: Enter it again: ########## disable_last_success # First just check timestamp for krblastsuccessfulauth: [root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth krblastsuccessfulauth: 20121211184948Z # Next change config [root@rhel6-2 ~]# kinit admin Password for admin: [root@rhel6-2 ~]# ipa config-mod --ipaconfigstring="KDCisable Last Success" Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm2.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM2.COM Password Expiration Notification (days): 4 Password plugin features: KDCisable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC [root@rhel6-2 ~]# ipactl restart Restarting Directory Service Shutting down dirsrv: PKI-IPA... [ OK ] TESTRELM2-COM... [ OK ] Starting dirsrv: PKI-IPA... [ OK ] TESTRELM2-COM... [ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Starting Kerberos 5 Admin Server: [ OK ] Restarting DNS Service Stopping named: . [ OK ] Starting named: [ OK ] Restarting MEMCACHE Service Stopping ipa_memcached: [ OK ] Starting ipa_memcached: [ OK ] Restarting HTTP Service Stopping httpd: [ OK ] Starting httpd: [ OK ] Restarting CA Service Stopping pki-ca: [ OK ] Starting pki-ca: [ OK ] Restarting ADTRUST Service Shutting down SMB services: [ OK ] Starting SMB services: [ OK ] Restarting EXTID Service Shutting down Winbind services: [ OK ] Starting Winbind services: [ OK ] # Test that kinit login no longer updates krblastsuccessfulauth timestamp: [root@rhel6-2 ~]# echo $ADMINPW|kinit admin Password for admin: [root@rhel6-2 ~]# echo $ADMINPW|kinit bz824488 Password for bz824488: [root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth krblastsuccessfulauth: 20121211185055Z [root@rhel6-2 ~]# echo $ADMINPW|kinit bz824488 Password for bz824488: [root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth krblastsuccessfulauth: 20121211185055Z [root@rhel6-2 ~]# echo $ADMINPW|kinit admin Password for admin: [root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth krblastsuccessfulauth: 20121211185055Z ########## disable_lockout # First I confirmed that lockout was working: [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 kinit: Clients credentials have been revoked while getting initial credentials # Then I unlocked the account: [root@rhel6-2 ~]# echo $ADMINPW|kinit admin Password for admin: [root@rhel6-2 ~]# ipa user-unlock bz824488 --------------------------- Unlocked account "bz824488" --------------------------- [root@rhel6-2 ~]# echo $ADMINPW|kinit bz824488 Password for bz824488: # Then changed config [root@rhel6-2 ~]# echo $ADMINPW|kinit admin Password for admin: [root@rhel6-2 ~]# ipa config-mod --ipaconfigstring="KDCisable Lockout" Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm2.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM2.COM Password Expiration Notification (days): 4 Password plugin features: KDCisable Lockout SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC [root@rhel6-2 ~]# ipactl restart Restarting Directory Service Shutting down dirsrv: PKI-IPA... [ OK ] TESTRELM2-COM... [ OK ] Starting dirsrv: PKI-IPA... [ OK ] TESTRELM2-COM... [ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Starting Kerberos 5 Admin Server: [ OK ] Restarting DNS Service Stopping named: . [ OK ] Starting named: [ OK ] Restarting MEMCACHE Service Stopping ipa_memcached: [ OK ] Starting ipa_memcached: [ OK ] Restarting HTTP Service Stopping httpd: [ OK ] Starting httpd: [ OK ] Restarting CA Service Stopping pki-ca: [ OK ] Starting pki-ca: [ OK ] Restarting ADTRUST Service Shutting down SMB services: [ OK ] Starting SMB services: [ OK ] Restarting EXTID Service Shutting down Winbind services: [ OK ] Starting Winbind services: [ OK ] # Test that it's no longer locking out user: [root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth krblastfailedauth: 20121211191056Z krblastsuccessfulauth: 20121211185055Z [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth krblastfailedauth: 20121211191056Z krblastsuccessfulauth: 20121211185055Z [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials [root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488 Password for bz824488: kinit: Password incorrect while getting initial credentials # Then put configstring back to nothing: [root@rhel6-2 ~]# ipa config-mod --ipaconfigstring="" Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm2.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM2.COM Password Expiration Notification (days): 4 SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC [root@rhel6-2 ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |