Description of problem:
A user trying to login to the system with a domain account* will get locked out after a single mistyped password.
*Microsoft Active Directory Domain, using Microsoft Identity Management for UNIX
Version-Release number of selected component (if applicable):
[root@crash log]# cat /etc/redhat-release
Red Hat Enterprise Linux release 6.0 Beta (Santiago)
[root@crash log]# rpm -qa pam*
- Windows 2003 R2 SP2
- Microsoft Identity Management for UNIX 5.2.3790.0
- RHEL 6.0 Beta
Steps to Reproduce:
1. ssh to the RHEL 6 Box
2. Mistype your password once
User gets the account locked
User should be able to try the password as many times as configured at the domain level before being locked out.
1- This won't happen with RHEL 4 or RHEL 5
2- Log file bellow:
May 3 11:31:48 crash sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=workstation-name user=first.last
May 3 11:31:48 crash sshd: pam_krb5: authentication fails for 'first.last' (first.last@DOMAIN.NAME): User not known to the underlying authentication module (Clients credentials have been revoked)
May 3 11:31:51 crash sshd: Failed password for first.last from 18.104.22.168 port 39778 ssh2
This is probably some problem in pam_krb5. Or in your configuration of it.
The user is locked out forever so you can't log in even after reconnecting?
Yes, account gets locked until an administrator goes to a domain controller and uncheck the "Account is locket out" under the user's properties.
Here is how I configure the domain authentication in all servers*:
authconfig --enablecache --enablenis --enableshadow --enablekrb5 \
--enablelocauthorize --nisdomain=DomainName --nisserver=domain.name \
--krb5realm=DOMAIN.NAME --krb5kdc=domain.name \
*Except RHEL 4, which does not have the option --update. Everything else is the same.
Is this with krb5-libs 1.7? I ask because this was a known problem in 1.7 (bug #542687, bug #554351), but it should be fixed in any later version, including versions that hit the repository after beta 1.
If the client is running something later than 1.7, do you have information on what the domain controller's lockout policy is, particularly if they've been changed from the factory defaults?
Yes, looks like we are talking about the same bug.
[root@crash ~]# rpm -qa krb*
I should have included Fedora bugs on my search when I was looking for this problem. Sorry about that.
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release. Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release. This request is not yet committed for
No worries. Now we have one that'll show up when people search this product. Trees after beta 1 should have 1.7.1 or 1.8 or 1.8.1 in them, so I'll move this to modified.
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.