Bug 824488 - Add 'disable_last_success' and 'disable_lockout' to the ipadb.so dblibrary
Add 'disable_last_success' and 'disable_lockout' to the ipadb.so dblibrary
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.3
Unspecified Unspecified
medium Severity unspecified
: rc
: 6.4
Assigned To: Rob Crittenden
Namita Soman
:
Depends On:
Blocks: 886216
  Show dependency treegraph
 
Reported: 2012-05-23 11:13 EDT by Dmitri Pal
Modified: 2013-02-21 04:13 EST (History)
6 users (show)

See Also:
Fixed In Version: ipa-3.0.0-11.el6
Doc Type: Bug Fix
Doc Text:
Cause: Identity Management Kerberos data back-end did not support any option to control automatic user log on attributes (last failed or successful authentication) which are updated with every authentication. Consequence: Administrators with large deployments and a very high number of authentication events in their Identity Management realm cannot disable these automatic updates to avoid high number Directory Server modification events and thus many replication events which may degrade performance. Fix: Identity Management Kerberos data back-end allows Administrator to either disable writing a timestamp of last successful user authentication or to disable completely writing back all lockout related data. This means lockout policies would stop working. Both options are available in Identity Management configuration plugin CLI or Web UI. Result: Administrator can use these options to customize automatic Kerberos authentication attribute update behavior.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:13:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2012-05-23 11:13:07 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2734

Per Simo
add 'disable_last_success' and 'disable_lockout' to the ipadb.so dblibrary
Comment 1 Rob Crittenden 2012-06-07 15:33:18 EDT
fixed upstream.

ipa-2-2: 97e362681ff9c81d76b6b015467309f90e301bce

master: f602ad270d06a0dd7f53c4aa6904d27daa07d4ae

UI component for master only.

master: 1fcbad4bcb6c3a98dc102c55bc17783ef7baff34

The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)

The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
Comment 2 Jenny Galipeau 2012-06-07 16:24:26 EDT
Please add information about how to disable and enable these and how to verify if they are enabled/disabled.
Comment 3 Rob Crittenden 2012-06-07 17:31:31 EDT
These are set in the IPA configuration:

ipa config-mod --ipaconfigstring="KDC:Disable Last Success"

Disable Last Success causes the server to not write out krblastsuccessfulauth

Disable Lockout disables lockout completely so doesn't update any of the lockout attributes:   krblastsuccessfulauth, krbloginfailedcount and krblastfailedauth
Comment 9 Rob Crittenden 2012-10-26 10:12:57 EDT
Did your kinit to usertest fail?

This same test is working for me, though I only restart krb5kdc.

[root@pacer conf.d]# kinit tuser1

[root@pacer conf.d]# ipa user-show --all tuser1|grep krblastsuccessfulauth
  krblastsuccessfulauth: 20121026140947Z

[root@pacer conf.d]# kinit admin

[root@pacer conf.d]# ipa config-mod --ipaconfigstring="KDC:Disable Last Success"

[root@pacer conf.d]# service krb5kdc restart

[root@pacer conf.d]# kinit tuser1

[root@pacer conf.d]# ipa user-show --all tuser1|grep krblastsuccessfulauth
  krblastsuccessfulauth: 20121026140947Z
Comment 11 Rob Crittenden 2012-11-27 15:55:47 EST
I think I've found the culprit. The lockout plugin can also add the krblastsuccessfulauth attribute.

I was able to reproduce the problem, then I stopped dirsrv, disabled the ipa_lockout plugin, restarted and was not able to reproduce it any more.
Comment 12 Scott Poore 2012-11-28 12:45:32 EST
I saw similar.  krblastsuccessfulauth was being updated until I disabled lockout, restart krb5kdc, disabled last success, restart krb5kdc. Then it stopped updating the timestamp.  

I'm assuming this isn't expected?
Comment 13 Rob Crittenden 2012-11-28 12:50:49 EST
Right, we need to make changes to the ipa_lockout plugin to honor these settings as well.
Comment 15 Rob Crittenden 2012-12-05 10:42:26 EST
Fixed upstream. The 389-ds ipa_lockout plugin now honors these two configuration options as well.

master: 146da1b3269659cc92a444f85608820e044f8796

ipa-3-0: a149f01ab5babded6bf2a67c97142c1d82f7354f
Comment 17 Scott Poore 2012-12-11 14:45:32 EST
Verified.

Version ::

ipa-server-3.0.0-11.el6.x86_64
389-ds-base-1.2.11.15-6.el6.x86_64

Manual Test Results ::

########## setup

[root@rhel6-2 ~]# ipa user-add bz824488 --first=f --last=l --password
Password:
Enter Password again to verify:
---------------------
Added user "bz824488"
---------------------
  User login: bz824488
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/bz824488
  GECOS field: f l
  Login shell: /bin/sh
  Kerberos principal: bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM
  Email address: bz824488@testrelm2.com">bz824488@testrelm2.com
  UID: 1685400004
  GID: 1685400004
  Password: True
  Kerberos keys available: True

[root@rhel6-2 ~]# kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
Password expired.  You must change it now.
Enter new password:
Enter it again:

########## disable_last_success

# First just check timestamp for krblastsuccessfulauth:

[root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth
  krblastsuccessfulauth: 20121211184948Z

# Next change config

[root@rhel6-2 ~]# kinit admin
Password for admin@TESTRELM2.COM:

[root@rhel6-2 ~]# ipa config-mod --ipaconfigstring="KDCisable Last Success"
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm2.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM2.COM
  Password Expiration Notification (days): 4
  Password plugin features: KDCisable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC

[root@rhel6-2 ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM2-COM...                                       [  OK  ]
Starting dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM2-COM...                                       [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Starting Kerberos 5 Admin Server:                          [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Starting ipa_memcached:                                    [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]
Restarting ADTRUST Service
Shutting down SMB services:                                [  OK  ]
Starting SMB services:                                     [  OK  ]
Restarting EXTID Service

Shutting down Winbind services:                            [  OK  ]
Starting Winbind services:                                 [  OK  ]

# Test that kinit login no longer updates krblastsuccessfulauth timestamp:

[root@rhel6-2 ~]# echo $ADMINPW|kinit admin
Password for admin@TESTRELM2.COM:

[root@rhel6-2 ~]# echo $ADMINPW|kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:

[root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth
  krblastsuccessfulauth: 20121211185055Z

[root@rhel6-2 ~]# echo $ADMINPW|kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:

[root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth
  krblastsuccessfulauth: 20121211185055Z

[root@rhel6-2 ~]# echo $ADMINPW|kinit admin
Password for admin@TESTRELM2.COM:

[root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth
  krblastsuccessfulauth: 20121211185055Z


########## disable_lockout

# First I confirmed that lockout was working:

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
kinit: Clients credentials have been revoked while getting initial credentials

# Then I unlocked the account:

[root@rhel6-2 ~]# echo $ADMINPW|kinit admin
Password for admin@TESTRELM2.COM:

[root@rhel6-2 ~]# ipa user-unlock bz824488
---------------------------
Unlocked account "bz824488"
---------------------------

[root@rhel6-2 ~]# echo $ADMINPW|kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:

# Then changed config

[root@rhel6-2 ~]# echo $ADMINPW|kinit admin
Password for admin@TESTRELM2.COM:

[root@rhel6-2 ~]# ipa config-mod --ipaconfigstring="KDCisable Lockout"
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm2.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM2.COM
  Password Expiration Notification (days): 4
  Password plugin features: KDCisable Lockout
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC

[root@rhel6-2 ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM2-COM...                                       [  OK  ]
Starting dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM2-COM...                                       [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Starting Kerberos 5 Admin Server:                          [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Starting ipa_memcached:                                    [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]
Restarting ADTRUST Service
Shutting down SMB services:                                [  OK  ]
Starting SMB services:                                     [  OK  ]
Restarting EXTID Service

Shutting down Winbind services:                            [  OK  ]
Starting Winbind services:                                 [  OK  ]

# Test that it's no longer locking out user:

[root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth
  krblastfailedauth: 20121211191056Z
  krblastsuccessfulauth: 20121211185055Z

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# ipa user-show --all bz824488 | grep -i auth
  krblastfailedauth: 20121211191056Z
  krblastsuccessfulauth: 20121211185055Z

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

[root@rhel6-2 ~]# echo BADPASSWORD | kinit bz824488
Password for bz824488@TESTRELM2.COM">bz824488@TESTRELM2.COM:
kinit: Password incorrect while getting initial credentials

# Then put configstring back to nothing:

[root@rhel6-2 ~]# ipa config-mod --ipaconfigstring=""
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm2.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM2.COM
  Password Expiration Notification (days): 4
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC

[root@rhel6-2 ~]#
Comment 19 errata-xmlrpc 2013-02-21 04:13:20 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Note You need to log in before you can comment on or make changes to this bug.