-
Title
Error: KRB5KDC_ERR_CLIENT_REVOKED (-1765328366): Clients credentials have been revoked. How to identify from client that a user account has been locked out ? -
Description
A user is having trouble authenticating to a Unix or Linux machine. How to identify from client that a user account has been locked out ?
Error: KRB5KDC_ERR_CLIENT_REVOKED (-1765328366): Clients credentials have been revoked
-
Cause
A user may be locked out of AD or the local operating system.
-
Resolution
Here are some outputs of troubleshooting commands that will indicate a locked out account in AD:
1) Running the following command verifies the user information against AD. It notifies you that "Client credentials have been revoked":
testhost:/ # /opt/quest/bin/vastool -u johndoe kinit -S host/Password for johndoe@testdomain.com: ERROR: Could not authenticate as johndoe.
VAS_ERR_KRB5: Failed to obtain credentials. Client: johndoe@YOURDOMAIN.COM, Service: krbtgt/TESTDOMAIN.COM@YOURDOMAIN.COM
Caused by:
KRB5KDC_ERR_CLIENT_REVOKED (-1765328366): Clients credentials have been revoked
2) In Active Directory Users and Computer right click the account and go to the Account tab
3) Running the following command verifies the system access to the cache. Output contains shadow password entry overridden with an OS-specific "locked account" password hash (*LK* for example).
# /opt/quest/bin/vastool nss getspnam johndoe
johndoe:*LK*:1003:1140:johndoe:/export/home/johndoe:/bin/ksh
# /opt/quest/bin/vastool nss getspnam johndoe
johndoe:!!:1003:1140:johndoe:/export/home/johndoe:/bin/ksh3) On AIX, if using LAM the operating system follows setting in etc/security/user file for loginretries setting.
# lsuser -a unsuccessful_login_count
To reset users:
chsec -f /etc/security/lastlog -s -a unsuccessful_login_count=0 -
Additional Information
The computer name may be sent to the event viewer notification instead of the username. However you can change this behavior with the add-netbios-addr vas.conf setting. Man page entry: add-netbios-addr =Default value: false By default, VAS does not add the machine's NETBIOS name to the kerberos tickets it sends to AD. This means in event logs, like Event 644 - account locked out, Windows does not display the Caller Machine Name. To enable this feature, change the value of this setting to 'true'. NOTE: The NETBIOS name length limit is 15 characters. If the machine's sAMAccountName is longer than 15 characters, it is truncated to that limit. WARNING: Enabling this option allows Windows Domain Controllers to enforce the userWorkstations attribute (using the 'Log On To' button) regardless of the VAS use-log-on-to setting. If a user's userWorkstations value is set, it must have the machine's NETBIOS name in that field for the DC to allow password-based login. [libvas] add-netbios-addr = false