A user is having trouble authenticating to a Unix or Linux machine. How to identify from client that a user account has been locked out ?
Error: KRB5KDC_ERR_CLIENT_REVOKED (-1765328366): Clients credentials have been revoked
A user may be locked out of AD or the local operating system.
Here are some outputs of troubleshooting commands that will indicate a locked out account in AD:
1) Running the following command verifies the user information against AD. It notifies you that "Client credentials have been revoked":
testhost:/ # /opt/quest/bin/vastool -u johndoe kinit -S host/
Password for johndoe@testdomain.com: ERROR: Could not authenticate as johndoe.
VAS_ERR_KRB5: Failed to obtain credentials. Client: johndoe@YOURDOMAIN.COM, Service: krbtgt/TESTDOMAIN.COM@YOURDOMAIN.COM
Caused by:
KRB5KDC_ERR_CLIENT_REVOKED (-1765328366): Clients credentials have been revoked
2) In Active Directory Users and Computer right click the account and go to the Account tab
3) Running the following command verifies the system access to the cache. Output contains shadow password entry overridden with an OS-specific "locked account" password hash (*LK* for example).
# /opt/quest/bin/vastool nss getspnam johndoe
johndoe:*LK*:1003:1140:johndoe:/export/home/johndoe:/bin/ksh
# /opt/quest/bin/vastool nss getspnam johndoe
johndoe:!!:1003:1140:johndoe:/export/home/johndoe:/bin/ksh
3) On AIX, if using LAM the operating system follows setting in etc/security/user file for loginretries setting.
# lsuser -a unsuccessful_login_count
To reset users:
chsec -f /etc/security/lastlog -s -a unsuccessful_login_count=0
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 利用規約 プライバシー Cookie Preference Center