On ke, 11 heinä 2018, skrawczenko--- via FreeIPA-users wrote:
Unfortunately, can't see anything suspicious in krb5kdc.log Multiple hosts request TGT in NEEDED_PREAUTH:host/<hostname> - ISSUE dialogs.
No errors and 'admin' is not encountered anywhere.
I'm having a concern that older machines could have been enrolled (ipa-client) with admin user. Could you suggest where i can check this setting on the client machines and modify if needed?
When machine is enrolled as admin, there is no place those admin credentials are stored anywhere. So that shouldn't be an issue.
However, if admin account is still locked out, you have two sources for possible lockouts: - KDC locking out for invalid TGTs - LDAP servers locking out for invalid LDAP BIND requests.
As you are saying it is not the former, may be it is the latter?
You can use
egrep '(BIND.*dn="|RESULT.*dn="|RESULT err=49)' /var/log/dirsrv/slapd-$INSTANCE/access
to pull out all authentication requests, successful or not, from LDAP server access log. For successful requests 'RESULT ' entry would have 'dn="some-dn"' while for unsuccessful ones BIND entries will have actual DN value. Each entry has 'conn=XYZ' property which show an id of a connection performed by a client and a first line with that conn=XYZ id would also have IP address of the client.