RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 759501 - [RFE] Login failed attempts counter or locked out status are not displayed in WebUI or "ipa user-show" command
Summary: [RFE] Login failed attempts counter or locked out status are not displayed in...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-02 14:47 UTC by Rafael Godínez Pérez
Modified: 2018-12-02 15:05 UTC (History)
4 users (show)

Fixed In Version: ipa-2.2.0-11.el6
Doc Type: Enhancement
Doc Text:
Cause: When failed login attempts are more than maximum specified, the account is locked. However, an investigation of a lock out status of a particular user is difficult as the number of failed login attempts is not replicated. Consequence: PA administrator would need to get failed login attempt counts from all installed replicas to find out the user lock out status. Change: IPA provides a new CLI command "ipa user-status" which can provide number of failed login attempts on all configured IPA replicas along with a time of the last successful or failed authentication attempt. Result: Administrator can now much easier get overall status of particular lock status.
Clone Of:
Environment:
Last Closed: 2012-06-20 13:18:08 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Rafael Godínez Pérez 2011-12-02 14:47:58 UTC 
Description of problem:

When failed login attempts are more than maximum specified, the account is locked in all clients, no matter if the user is cached in that client or not (expected behaviour). But, in IdM server, 'ipa user-show' command, as well as WebUI, show the user account as still enabled.

For diagnose in case of account troubles, or if an administrator is needed to manually enable locked out accounts, the right status of the locked out account should be shown in WebUI and ipa command.

There is a distinction between a disabled account and one locked out due to too many failed logins.

We don't currently show the number of failed logins or that lockout status.



Version-Release number of selected component (if applicable):
RHEL 6.2

How reproducible:
Always

Steps to Reproduce:
1. log in with wrong password more times than allowed by configuration
2. 
3. 
  
Actual results:
Account is locked out, but this status isn't reflected in WebUI or by command "ipa user-show".
It does not reflect either the number of failed attempts.

Expected results:
The number of failed attempts should be displayed in WebUI or by command "ipa user-show"

Additional info:
Comment 2 Jenny Severance 2011-12-02 15:30:49 UTC 
need to add the --all flag ..

# ipa user-show --all admin
  dn: uid=admin,cn=users,cn=accounts,dc=testrelm
  User login: admin
  Last name: Administrator
  Full name: Administrator
  Home directory: /home/admin
  GECOS field: Administrator
  Login shell: /bin/bash
  Kerberos principal: admin@TESTRELM
  UID: 1426400000
  GID: 1426400000
  Account disabled: False
  Keytab: True
  Password: True
  Member of groups: admins
  ipauniqueid: 5be84044-d408-11e0-b9ce-5254008a96bf
  krbextradata: AAIf6NROYWRtaW5AVEVTVFJFTE0A, AAgBAA==
  krblastfailedauth: 20111202152839Z
  krblastpwdchange: 20111129141143Z
  krblastsuccessfulauth: 20111202152513Z
  krbloginfailedcount: 1   <==================================================
  krbpasswordexpiration: 20120227141143Z


haven't tried with locked out user .. but suspect it will show up.  at least with the UI ....
Comment 3 Jenny Severance 2011-12-02 15:31:49 UTC 
at least with the CLI ... not UI ...
Comment 4 Rob Crittenden 2011-12-02 16:20:24 UTC 
krbloginfailedcount is not replicated so it isn't a reliable to display status.
Comment 5 Dmitri Pal 2011-12-05 17:16:57 UTC 
I think we need to do a better job here.
For example we can have a CLI/UI that will show the status of the user lockout on the server the UI/CLI is connected to but have a special flag/button to query other servers. Since pinging ALL other servers might be a costly operation it should be done only when administrator consciously requests it.
Comment 6 Dmitri Pal 2011-12-05 17:17:38 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2162
Comment 7 Martin Kosek 2012-03-02 15:30:44 UTC 
We have a new CLI command "user-status".

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/d5c9f7bcaa257571fa9f4092876864df86876fd3
ipa-2-2: https://fedorahosted.org/freeipa/changeset/418cf117002cc44f475ebe9cbb946b9f7abb89f7
Comment 9 Jenny Severance 2012-04-18 16:41:53 UTC 
This fix is incomplete.  

Failed attempts are returned by showing the user with --all flag in the CLI and the "new" CLI user-status

# ipa user-status jennys
  Server: dhcp-185-247.testrelm.com
  Failed logins: 6
  Last successful authentication: 2012-04-18T15:46:40Z
  Last failed authentication: 2012-04-18T16:33:48Z
----------------------------
Number of entries returned 1
----------------------------


However lockout status is not ... this user is locked but you would not know that and it is not available anywhere.  Not in the User details in the WebUI, not from the User CLI user-show nor with the "new" user-status CLI.

I would expect the user-status CLI to display where or not the user was enable or disable and where or not the user was locked out or not.

version:
ipa-server-2.2.0-9.el6.x86_64
Comment 10 Rob Crittenden 2012-04-18 19:41:15 UTC 
The KDC is the final arbiter of this and it computes this on the fly and doesn't store the result. We could try to duplicate that behavior but it is prone to error. Rather I display the same information it uses and leave it to the user to interpret it.

We can't add this to user-show because a user may be locked in one KDC and not another. This data is not replicated.
Comment 12 Martin Kosek 2012-04-19 13:03:27 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When failed login attempts are more than maximum specified, the account is locked. However, an investigation of a lock out status of a particular user is difficult as the number of failed login attempts is not replicated.
Consequence: PA administrator would need to get failed login attempt counts from all installed replicas to find out the user lock out status.
Change: IPA provides a new CLI command "ipa user-status" which can provide number of failed login attempts on all configured IPA replicas along with a time of the last successful or failed authentication attempt.
Result: Administrator can now much easier get overall status of particular lock status.
Comment 13 Martin Kosek 2012-04-23 08:26:31 UTC 
The change that was requested by QE was fixed upstream:

master: https://fedorahosted.org/freeipa/changeset/d7f7bb11dfa62fbafbe3e0e321e32bad8da2ecf4
ipa-2-2: https://fedorahosted.org/freeipa/changeset/dbc7afcef5a73e86dab0450ca92abda622266df8
Comment 14 Jenny Severance 2012-04-25 12:27:19 UTC 
verified :: 
# ipa user-status jennys
-----------------------
Account disabled: False
-----------------------
  Server: dhcp-185-247.testrelm.com
  Failed logins: 6
  Last successful authentication: 2012-04-18T18:44:30Z
  Last failed authentication: 2012-04-25T12:25:50Z
  Time now: 2012-04-25T12:26:17Z
----------------------------
Number of entries returned 1
----------------------------

version ::

ipa-server-2.2.0-11.el6.x86_64
Comment 17 errata-xmlrpc 2012-06-20 13:18:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html
Note You need to log in before you can comment on or make changes to this bug.