Hide Forgot
Description of problem: It appears that the failure counter stops working and max failures are never getting reached and user therefore never gets locked out. The following test is setting the global password policy max failures to "3". :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Max Failures reached and users credentials revoked :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ PASS ] :: Setting maxfail to value of [3] :: [ PASS ] :: Max failures correct [3] :: [ LOG ] :: ERROR: kinit as user1 with password BADPWD failed. :: [ PASS ] :: Kinit as user with invalid password. Attempt [1] :: [ LOG ] :: ERROR: kinit as user1 with password BADPWD failed. :: [ PASS ] :: Kinit as user with invalid password. Attempt [2] :: [ LOG ] :: ERROR: kinit as user1 with password BADPWD failed. :: [ PASS ] :: Kinit as user with invalid password. Attempt [3] :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ FAIL ] :: User's failed counter is NOT as expected. Got: [1] Expected: [3] :: [ LOG ] :: kinit as user1 with password Secret123 was successful. :: [ FAIL ] :: Kinit as user with valid password. Max failures reached (Expected 1, got 0) :: [ FAIL ] :: File '/tmp/kinitrevoked.txt' should contain 'Clients credentials have been revoked while getting initial credentials' :: [ LOG ] :: Duration: 18s :: [ LOG ] :: Assertions: 7 good, 3 bad :: [ FAIL ] :: RESULT: Max Failures reached and users credentials revoked The following test is setting the group policy for which the user is a member max failures to "3" :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Group Failures Policy Enforcement - Lock Out :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ERROR: kinit as grpuser with password BADPWD failed. :: [ PASS ] :: Kinit as group policy user with invalid password :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ PASS ] :: User's failed counter is as expected: [1] :: [ LOG ] :: ERROR: kinit as grpuser with password BADPWD failed. :: [ PASS ] :: Kinit as group policy user with invalid password :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ PASS ] :: User's failed counter is as expected: [2] :: [ LOG ] :: ERROR: kinit as grpuser with password BADPWD failed. :: [ PASS ] :: Kinit as group policy user with invalid password :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ FAIL ] :: User's failed counter is NOT as expected. Got: [1] Expected: [3] :: [ LOG ] :: kinit as grpuser with password Secret123 was successful. :: [ FAIL ] :: Kinit as user with valid password. Max failures reached (Expected 1, got 0) :: [ FAIL ] :: File '/tmp/kinitrevoked.txt' should contain 'Clients credentials have been revoked while getting initial credentials' :: [ LOG ] :: Sleep for lock out duration :: [ LOG ] :: kinit as grpuser with password Secret123 was successful. :: [ PASS ] :: Lock out period over - kinit should be successful :: [ LOG ] :: Duration: 53s :: [ LOG ] :: Assertions: 9 good, 3 bad :: [ FAIL ] :: RESULT: Group Failures Policy Enforcement - Lock Out Version-Release number of selected component (if applicable): ipa-server-2.2.0-8.el6.x86_64 How reproducible: consistent with 2.2.0-8 Steps to Reproduce: 1. see description 2. 3. Actual results: Expected results: Additional info:
I'm not able to reproduce this. Can you provide more information on what the current password policy is?
Here is a better log of events ... showing the password policy settings :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Max Failures reached and users credentials revoked :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: spawn /usr/bin/kinit -V admin Using default cache: /tmp/krb5cc_0 Using principal: admin Password for admin: Authenticated to Kerberos v5 Default principal: admin :: [11:49:31] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 3 Failure reset interval: 60 Lockout duration: 600 :: [ PASS ] :: Setting maxfail to value of [3] :: [ PASS ] :: Max failures correct [3] spawn /usr/bin/kinit -V user1 Using default cache: /tmp/krb5cc_0 Using principal: user1 Password for user1: kinit: Password incorrect while getting initial credentials klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) :: [11:49:43] :: ERROR: kinit as user1 with password BADPWD failed. :: [ PASS ] :: Kinit as user with invalid password. Attempt [1] kdestroy: No credentials cache found while destroying cache spawn /usr/bin/kinit -V user1 Using default cache: /tmp/krb5cc_0 Using principal: user1 Password for user1: kinit: Password incorrect while getting initial credentials klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) :: [11:49:45] :: ERROR: kinit as user1 with password BADPWD failed. :: [ PASS ] :: Kinit as user with invalid password. Attempt [2] kdestroy: No credentials cache found while destroying cache spawn /usr/bin/kinit -V user1 Using default cache: /tmp/krb5cc_0 Using principal: user1 Password for user1: kinit: Password incorrect while getting initial credentials klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) :: [11:49:46] :: ERROR: kinit as user1 with password BADPWD failed. :: [ PASS ] :: Kinit as user with invalid password. Attempt [3] kdestroy: No credentials cache found while destroying cache spawn /usr/bin/kinit -V admin Using default cache: /tmp/krb5cc_0 Using principal: admin Password for admin: Authenticated to Kerberos v5 Default principal: admin :: [11:49:48] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ FAIL ] :: User's failed counter is NOT as expected. Got: [1] Expected: [3] :: [ FAIL ] :: Kinit as user with valid password. Max failures reached (Expected 1, got 0) :: [ FAIL ] :: File '/tmp/kinitrevoked.txt' should contain 'Clients credentials have been revoked while getting initial credentials' '0a86d246-1002-4043-b102-5600ca6ad06d' Max-Failures-reached-and-users-credentials-revoked result: FAIL
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2639
I believe this may be a timing issue with my tests and the time outs. I am probably going to close this as not a bug ... but want to wait until I am sure.
This is due to interval timeouts before test is complete, fixing tests and closing not a bug