RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 971087 - [RFE] Replicate failed login attribute (krbLoginFailedCount)
Summary: [RFE] Replicate failed login attribute (krbLoginFailedCount)
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: Namita Soman
URL:
Whiteboard:
: 1137024 1523066 (view as bug list)
Depends On:
Blocks: 1203710 1420851
TreeView+ depends on / blocked
 
Reported: 2013-06-05 16:05 UTC by Jesse Triplett
Modified: 2023-12-15 15:46 UTC (History)
31 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-09 12:36:24 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
FedoraHosted FreeIPA 3863 0 None None None 2017-12-10 22:20:54 UTC
FedoraHosted FreeIPA 4302 0 None None None 2017-12-10 22:22:42 UTC
Red Hat Issue Tracker FREEIPA-9507 0 None None None 2023-03-01 05:14:49 UTC
Red Hat Knowledge Base (Article) 3327351 0 None None None 2020-06-08 15:34:57 UTC

Description Jesse Triplett 2013-06-05 16:05:22 UTC 
1. Proposed title of this feature request
IPA Failed Login Replication

2. Who is the customer behind the request? Northrup Grumman
Account: name (acct #)1267526

3. What is the nature and description of the request?
Failed login attempts need to be replicated throughout the environement such that a user that has used all their failed logins gets locked out of the environement instead of just the one IPA server that the failed logins were on.

4. Why do you need this? (List the business requirements here)
This a big security issue and a government requirement.

5. How would you like to achieve this? (List the functional requirements here)
No special requirements. It just needs to be replicated throughout all IPA servers.

6. For each functional requirement listed, specify how Red Hat and you can test to confirm the requirement is successfully implemented.
NA

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
No

8. Do you have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
Not specific Timeline but quicker is better

9. Is the sales team involved in this request and do they have any additional input?
no

10. List any affected packages or components.
IPA

11. Would you be able to assist in testing this functionality if implemented?
Yes - as much as possible within and possibly outside of a classified network.
Comment 2 Martin Kosek 2013-06-06 07:45:54 UTC 
Simo/Rob - were there any specific decision done in the past that lead us to avoid replicating failed logins?

This is BTW the list of our currently non-replicated attrs:
# meTovm-119.idm.lab.bos.redhat.com, replica, dc\3Didm\2Cdc\3Dlab\2Cdc\3Dbos\
 2Cdc\3Dredhat\2Cdc\3Dcom, mapping tree, config
dn: cn=meTovm-119.idm.lab.bos.redhat.com,cn=replica,cn=dc\3Didm\2Cdc\3Dlab\2Cd
 c\3Dbos\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config
...
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
  entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
...
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
 uccessfulauth krblastfailedauth krbloginfailedcount
...

Maybe we should allow users to leave "krblastsuccessfulauth krblastfailedauth krbloginfailedcount" out of the blacklist...
Comment 3 Rob Crittenden 2013-06-06 18:34:44 UTC 
Every single authentication attempt, successful or not, would result in a replication event. Our feeling was that even on a small to moderately sized installation this would cause issues.
Comment 6 Martin Kosek 2013-06-07 06:22:43 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3700
Comment 10 Jesse Triplett 2013-07-31 17:00:16 UTC 
Hello all, Has there been any progress on this?  What's the latest word?
Comment 11 Rich Megginson 2013-07-31 17:08:47 UTC 
(In reply to Jesse Triplett from comment #10)
> Hello all, Has there been any progress on this?  What's the latest word?

Looks like a fix is targeted for RHEL 6.6
Comment 12 Martin Kosek 2013-08-01 07:02:38 UTC 
Correct, the upstream ticket was filed and triaged, first designs were created. As Rich said, this Bugzilla is currently targeted for RHEL 6.6.
Comment 22 Eugene Keck 2014-09-04 14:17:49 UTC 
*** Bug 1137024 has been marked as a duplicate of this bug. ***
Comment 23 Arpit Tolani 2016-01-13 23:27:01 UTC 
Hello

could you please let us know what is the timeline this bug will be fixed.

Thank you.
Comment 24 Martin Kosek 2016-06-10 08:04:54 UTC 
With Bug 1298848 being currently scheduled for RHEL-7.3, it should be possible to specify attributes that should or should not be replicated in different segments of the Topology.

Ludwig, can you please assess if this RFE can be satisfied with the current Topology feature as is or more work is needed? (which would mean the RFE is not provided in 7.3)
Comment 25 Ludwig 2016-06-10 08:22:02 UTC 
The feature to specify different attrlist for different segments is there in the topology plugin, but it was there already before by directly modifying the replication agreements. 
What was missing and what is still missing is support from the cli or gui to change these settings or to specify a different default at server installation.
Comment 32 Steven Ellis 2017-12-10 22:24:37 UTC 
As one of the replication dependencies has been resolved under
 - https://pagure.io/freeipa/issue/4302
is there any chance of some movement on resolving this issue as part of
 - https://pagure.io/freeipa/issue/3863
Comment 33 Florence Blanc-Renaud 2017-12-15 17:02:56 UTC 
*** Bug 1523066 has been marked as a duplicate of this bug. ***
Comment 42 Petr Čech 2020-07-09 12:36:24 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. It was unfortunately not given priority Red Hat Enterprise Linux.

Given that this request is not planned for a close release, it is highly unlikely it will be fixed in this major version of Red Hat Enterprise Linux. We are therefore closing the request as WONTFIX.

To request that Red Hat reconsiders the decision, please reopen the Bugzilla with the help of Red Hat Customer Service and provide additional business and/or technical details about it's importance to you.

Current Account Lockout policy in Identity-Management is described in https://access.redhat.com/articles/3327351.
Comment 44 Simo Sorce 2020-07-16 16:08:56 UTC 
Brian,
as far as I know auth attempts are also local to a Domain Controller in AD as well and not replicated.

Replication is not instantaneous anyway, so simply replicating the count wouldn't stop an attacker, because you can test simultaneously on multiple DCs before replication can take place.

The only way to do what they ask to the letter, would be to have a single authentication server (or have all servers synchronized via distributed locking, which would be even slower).

Back then when I helped crafting this solution we came to the conclusion that no customer would ever use such a system, and that there was no other solution that could *honestly* claim to be following the letter of the requirement using our legacy protocols.

It may be possible to do something close to what is requested in a completely different architecture, but it is not something that will ever work in a useful way in IdM.
Comment 46 Sam Morris 2021-04-14 10:43:28 UTC 
(In reply to Simo Sorce from comment #44)
> as far as I know auth attempts are also local to a Domain Controller in AD
> as well and not replicated.

According to https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961787(v=technet.10)?redirectedfrom=MSDN#urgent-replication-of-account-lockout-changes Active Directory has some special handling of failed authentication attempts. This is summarized at <https://serverfault.com/a/717251/101969>:

"as bad password attempts are prioritized and every bad password attempt is also retried at the PDC emulator, your account will be locked out [as soon as the bad-password-attempt threshold is reached] by any properly replicating domain controller."
Comment 47 Red Hat Bugzilla 2023-09-18 00:10:30 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.