RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 824488 - Add 'disable_last_success' and 'disable_lockout' to the ipadb.so dblibrary
Summary: Add 'disable_last_success' and 'disable_lockout' to the ipadb.so dblibrary
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.3
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: 6.4
Assignee: Rob Crittenden
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks: 886216
TreeView+ depends on / blocked
 
Reported: 2012-05-23 15:13 UTC by Dmitri Pal
Modified: 2013-02-21 09:13 UTC (History)
6 users (show)

Fixed In Version: ipa-3.0.0-11.el6
Doc Type: Bug Fix
Doc Text:
Cause: Identity Management Kerberos data back-end did not support any option to control automatic user log on attributes (last failed or successful authentication) which are updated with every authentication. Consequence: Administrators with large deployments and a very high number of authentication events in their Identity Management realm cannot disable these automatic updates to avoid high number Directory Server modification events and thus many replication events which may degrade performance. Fix: Identity Management Kerberos data back-end allows Administrator to either disable writing a timestamp of last successful user authentication or to disable completely writing back all lockout related data. This means lockout policies would stop working. Both options are available in Identity Management configuration plugin CLI or Web UI. Result: Administrator can use these options to customize automatic Kerberos authentication attribute update behavior.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:13:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0528 0 normal SHIPPED_LIVE Low: ipa security, bug fix and enhancement update 2013-02-21 08:22:21 UTC

Description Dmitri Pal 2012-05-23 15:13:07 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2734

Per Simo
add 'disable_last_success' and 'disable_lockout' to the ipadb.so dblibrary
Comment 1 Rob Crittenden 2012-06-07 19:33:18 UTC 
fixed upstream.

ipa-2-2: 97e362681ff9c81d76b6b015467309f90e301bce

master: f602ad270d06a0dd7f53c4aa6904d27daa07d4ae

UI component for master only.

master: 1fcbad4bcb6c3a98dc102c55bc17783ef7baff34

The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)

The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
Comment 2 Jenny Severance 2012-06-07 20:24:26 UTC 
Please add information about how to disable and enable these and how to verify if they are enabled/disabled.
Comment 3 Rob Crittenden 2012-06-07 21:31:31 UTC 
These are set in the IPA configuration:

ipa config-mod --ipaconfigstring="KDC:Disable Last Success"

Disable Last Success causes the server to not write out krblastsuccessfulauth

Disable Lockout disables lockout completely so doesn't update any of the lockout attributes:   krblastsuccessfulauth, krbloginfailedcount and krblastfailedauth
Comment 9 Rob Crittenden 2012-10-26 14:12:57 UTC 
Did your kinit to usertest fail?

This same test is working for me, though I only restart krb5kdc.

[root@pacer conf.d]# kinit tuser1

[root@pacer conf.d]# ipa user-show --all tuser1|grep krblastsuccessfulauth
  krblastsuccessfulauth: 20121026140947Z

[root@pacer conf.d]# kinit admin

[root@pacer conf.d]# ipa config-mod --ipaconfigstring="KDC:Disable Last Success"

[root@pacer conf.d]# service krb5kdc restart

[root@pacer conf.d]# kinit tuser1

[root@pacer conf.d]# ipa user-show --all tuser1|grep krblastsuccessfulauth
  krblastsuccessfulauth: 20121026140947Z
Comment 11 Rob Crittenden 2012-11-27 20:55:47 UTC 
I think I've found the culprit. The lockout plugin can also add the krblastsuccessfulauth attribute.

I was able to reproduce the problem, then I stopped dirsrv, disabled the ipa_lockout plugin, restarted and was not able to reproduce it any more.
Comment 12 Scott Poore 2012-11-28 17:45:32 UTC 
I saw similar.  krblastsuccessfulauth was being updated until I disabled lockout, restart krb5kdc, disabled last success, restart krb5kdc. Then it stopped updating the timestamp.  

I'm assuming this isn't expected?
Comment 13 Rob Crittenden 2012-11-28 17:50:49 UTC 
Right, we need to make changes to the ipa_lockout plugin to honor these settings as well.
Comment 15 Rob Crittenden 2012-12-05 15:42:26 UTC 
Fixed upstream. The 389-ds ipa_lockout plugin now honors these two configuration options as well.

master: 146da1b3269659cc92a444f85608820e044f8796

ipa-3-0: a149f01ab5babded6bf2a67c97142c1d82f7354f
Comment 17 Scott Poore 2012-12-11 19:45:32 UTC 
Verified.

Version ::

ipa-server-3.0.0-11.el6.x86_64
389-ds-base-1.2.11.15-6.el6.x86_64

Manual Test Results ::

########## setup

[root@rhel6-2 ~]# ipa user-add bz824488 --first=f --last=l --password
Password:
Enter Password again to verify:
---------------------
Added user "bz824488"
---------------------
  User login: bz824488
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/bz824488
  GECOS field: f l
  Login shell: /bin/sh
  Kerberos principal: bz824488
  Email address: bz824488
  UID: 1685400004
  GID: 1685400004
  Password: True
  Kerberos keys available: True

[root@rhel6-2 ~]# kinit bz824488
Password for bz824488:
Password expired.  You must change it now.
Enter new password:
Enter it again:

########## disable_last_success

# First just check timestamp for krblastsuccessfulauth:

[root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth
  krblastsuccessfulauth: 20121211184948Z

# Next change config

[root@rhel6-2 ~]# kinit admin
Password for admin:

[root@rhel6-2 ~]# ipa config-mod --ipaconfigstring="KDCisable Last Success"
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm2.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM2.COM
  Password Expiration Notification (days): 4
  Password plugin features: KDCisable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC

[root@rhel6-2 ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM2-COM...                                       [  OK  ]
Starting dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM2-COM...                                       [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Starting Kerberos 5 Admin Server:                          [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Starting ipa_memcached:                                    [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]
Restarting ADTRUST Service
Shutting down SMB services:                                [  OK  ]
Starting SMB services:                                     [  OK  ]
Restarting EXTID Service

Shutting down Winbind services:                            [  OK  ]
Starting Winbind services:                                 [  OK  ]

# Test that kinit login no longer updates krblastsuccessfulauth timestamp:

[root@rhel6-2 ~]# echo $ADMINPW|kinit admin
Password for admin:

[root@rhel6-2 ~]# echo $ADMINPW|kinit bz824488
Password for bz824488:

[root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth
  krblastsuccessfulauth: 20121211185055Z

[root@rhel6-2 ~]# echo $ADMINPW|kinit bz824488
Password for bz824488:

[root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth
  krblastsuccessfulauth: 20121211185055Z

[root@rhel6-2 ~]# echo $ADMINPW|kinit admin
Password for admin:

[root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth
  krblastsuccessfulauth: 20121211185055Z


########## disable_lockout

# First I confirmed that lockout was working:

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
kinit: Clients credentials have been revoked while getting initial credentials

# Then I unlocked the account:

[root@rhel6-2 ~]# echo $ADMINPW|kinit admin
Password for admin:

[root@rhel6-2 ~]# ipa user-unlock bz824488
---------------------------
Unlocked account "bz824488"
---------------------------

[root@rhel6-2 ~]# echo $ADMINPW|kinit bz824488
Password for bz824488:

# Then changed config

[root@rhel6-2 ~]# echo $ADMINPW|kinit admin
Password for admin:

[root@rhel6-2 ~]# ipa config-mod --ipaconfigstring="KDCisable Lockout"
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm2.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM2.COM
  Password Expiration Notification (days): 4
  Password plugin features: KDCisable Lockout
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC

[root@rhel6-2 ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM2-COM...                                       [  OK  ]
Starting dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM2-COM...                                       [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Starting Kerberos 5 Admin Server:                          [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Starting ipa_memcached:                                    [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]
Restarting ADTRUST Service
Shutting down SMB services:                                [  OK  ]
Starting SMB services:                                     [  OK  ]
Restarting EXTID Service

Shutting down Winbind services:                            [  OK  ]
Starting Winbind services:                                 [  OK  ]

# Test that it's no longer locking out user:

[root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth
  krblastfailedauth: 20121211191056Z
  krblastsuccessfulauth: 20121211185055Z

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth
  krblastfailedauth: 20121211191056Z
  krblastsuccessfulauth: 20121211185055Z

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488:
kinit: Password incorrect while getting initial credentials

# Then put configstring back to nothing:

[root@rhel6-2 ~]# ipa config-mod --ipaconfigstring=""
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm2.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM2.COM
  Password Expiration Notification (days): 4
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC

[root@rhel6-2 ~]#
Comment 19 errata-xmlrpc 2013-02-21 09:13:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html
Note You need to log in before you can comment on or make changes to this bug.