Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6882: User Fails su to an Active Directory Account on AIX. Error Appears: "There have been too many unsuccessful login attempts"

Centrify DirectControl ,  

11 March,17 at 01:18 AM

Applies to: Centrify DirectControl 5.X on all supported versions of AIX

Problem:
An account is unlocked in Active Directory, but when that account is used to login via ssh or su on an AIX machine, the error message appears:
# su - <user>
3004-303 There have been too many unsuccessful login attempts

In the debug centrifydc.log file you will see entries similar to:
Aug 31 09:05:44 vAIX71-1 auth|security:debug adclient[14090264]: DEBUG <fd:16 su(19988594)> attribute[6] = "loginretries"
Aug 31 09:05:44 vAIX71-1 auth|security:debug adclient[14090264]: DEBUG <fd:16 su(19988594)> attribute[7] = "unsuccessful_login_count"
....
Aug 31 09:05:44 vAIX71-1 auth|security:debug adclient[14090264]: DEBUG <fd:16 su(19988594)> value    [6] = client default
Aug 31 09:05:44 vAIX71-1 auth|security:debug adclient[14090264]: DEBUG <fd:16 su(19988594)> value    [7] = 4

 

Cause:
AIX keeps its own set of user attributes outside of AD, even for users that are only in AD.  One of the attributes is “unsuccessful_login_count”.  This parameter can be seen in /etc/security/lastlog

When a user mistypes his password (using su or ssh), the value of attribute is increased.  After the threshold is reach (threshold is defined in /etc/security/user) the user cannot login even through the adclient grants the access.  Access is being denied based on the unsuccessful_login_count user attribute.

A successful login will reset the value to 0.  But using su or logging in through ssh is not considered a successful login by AIX.  Only the process login or rlogin count to reset the attribute.  This can actually be changed so that su can reset the count…but it comes at the expense of turning off login and rlogin (disabling the login at the console)


 
Workaround:
Run this command from a command line as the root user
# chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s <user> 


Resolution:
There are multiple approaches to manage the unsuccessful_login_count for AD users:

Option 1) Disable the attribute and allow Active Directory to manage the account lockout feature.  To disable, simply set this value in /etc/security/user
loginretries = 0 
The disadvantage of this option is that this allows local users unlimited password retries potentially allowing brute force password attacks.

Option 2) Periodically run the command : 
# chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s <user> 
This can be done on a scheduled cron job . 


Option 3) Set the values in /etc/security/user either in the default stanza or in the stanza for the specific user 
login = false 
rlogin = false 

Now the unsuccessful_login_count will decrease when there is a successful su login.  The disadvantages of this option are a) every AD account must be managed, or make a global change in the default stanza and b) this option will disable a login at the console.


Option 4) Increase the threshold for the amount of unsuccessful su attempts before access is denied. 
The threshold is define in /etc/security/user, in the attribute loginretries. For example to set the loginretries threshold to 10 attempts you would set: 
loginretries = 10 

The threshold will periodically be reached and require a manual reset.  But it will be less frequent.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.