A flaw was found that allows any unauthenticated party to easily run DoS attack against kerberized services in FreeIPA/IdM realm.
FreeIPA contains MIT KDC as its main component + FreeIPA is using custom database driver for the KDC. As a side-effect of implementation, FreeIPA is enforcing password policies for all principals, including services which do not use "password" but keytab with randomly-generated/strong key.
Default password policy locks an account after 5 unsuccessful authentication attempts for 10 minutes. An attacker can use this to simply lock-out any principal, including system services.
Upstream patch :
Additional dependency :
Name: Petr Spacek (Red Hat)
Created freeipa tracking bugs for this issue:
Affects: fedora-all [bug 1404690]
Comment on attachment 1230758 [details]
obsoleting patch : see description for list of upstream patches
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:0001 https://rhn.redhat.com/errata/RHSA-2017-0001.html