RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 588366 - User account locked after only 1 password mistype with domain authentication
Summary: User account locked after only 1 password mistype with domain authentication
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: krb5
Version: 6.0
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: Zbysek MRAZ
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-03 15:03 UTC by Eri Ramos Bastos
Modified: 2013-07-03 13:11 UTC (History)
3 users (show)

Fixed In Version: krb5-1.7.1-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-11-10 21:01:05 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Eri Ramos Bastos 2010-05-03 15:03:29 UTC
Description of problem:

A user trying to login to the system with a domain account* will get locked out after a single mistyped password.

*Microsoft Active Directory Domain, using Microsoft Identity Management for UNIX


Version-Release number of selected component (if applicable):

[root@crash log]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 6.0 Beta (Santiago)
[root@crash log]# rpm -qa pam*
pam_passwdqc-1.0.5-5.el6.i686
pam_pkcs11-0.5.3-31.el6.i686
pam-1.1.1-2.el6.i686
pam_ldap-185-1.el6.i686
pam_krb5-2.3.10-2.el6.i686


How reproducible:
Tested environment:

- Windows 2003 R2 SP2 
- Microsoft Identity Management for UNIX 5.2.3790.0
- RHEL 6.0 Beta


Steps to Reproduce:
1. ssh to the RHEL 6 Box
2. Mistype your password once

  
Actual results:
User gets the account locked

Expected results:
User should be able to try the password as many times as configured at the domain level before being locked out.

Additional info:

1- This won't happen with RHEL 4 or RHEL 5
2- Log file bellow:

May  3 11:31:48 crash sshd[21199]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=workstation-name  user=first.last
May  3 11:31:48 crash sshd[21199]: pam_krb5[21199]: authentication fails for 'first.last' (first.last): User not known to the underlying authentication module (Clients credentials have been revoked)
May  3 11:31:51 crash sshd[21199]: Failed password for first.last from 1.1.1.1 port 39778 ssh2

Comment 1 Tomas Mraz 2010-05-03 15:43:04 UTC
This is probably some problem in pam_krb5. Or in your configuration of it.

The user is locked out forever so you can't log in even after reconnecting?

Comment 2 Eri Ramos Bastos 2010-05-03 15:51:54 UTC
Yes, account gets locked until an administrator goes to a domain controller and uncheck the "Account is locket out" under the user's properties.

Here is how I configure the domain authentication in all servers*:

authconfig --enablecache --enablenis --enableshadow --enablekrb5 \
--enablelocauthorize --nisdomain=DomainName --nisserver=domain.name \
--krb5realm=DOMAIN.NAME --krb5kdc=domain.name \
--krb5adminserver=domain.name --update

*Except RHEL 4, which does not have the option --update. Everything else is the same.

Comment 4 Nalin Dahyabhai 2010-05-03 16:31:06 UTC
Is this with krb5-libs 1.7?  I ask because this was a known problem in 1.7 (bug #542687, bug #554351), but it should be fixed in any later version, including versions that hit the repository after beta 1.

If the client is running something later than 1.7, do you have information on what the domain controller's lockout policy is, particularly if they've been changed from the factory defaults?

Comment 5 Eri Ramos Bastos 2010-05-03 16:43:59 UTC
Yes, looks like we are talking about the same bug.

[root@crash ~]# rpm -qa krb*
krb5-devel-1.7-18.el6.i686
krb5-libs-1.7-18.el6.i686
krb5-workstation-1.7-18.el6.i686

I should have included Fedora bugs on my search when I was looking for this problem. Sorry about that.

Comment 6 RHEL Program Management 2010-05-03 17:05:03 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 7 Nalin Dahyabhai 2010-05-03 18:15:45 UTC
No worries.  Now we have one that'll show up when people search this product.  Trees after beta 1 should have 1.7.1 or 1.8 or 1.8.1 in them, so I'll move this to modified.

Comment 11 releng-rhel@redhat.com 2010-11-10 21:01:05 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.