Univention Bugzilla – Bug 19016
Faillog Tests schlagen fehl
Last modified: 2013-11-19 06:44:29 CET
Created attachment 2497 [details] test.log ucs-test 'Test faillog via ssh, smb, krb' schlägt auf einem von UCS 2.3-2 aktualisiertem UCS 2.4 Master fehl (00_base/47faillog-ssh-smb-krb)
Bitte in diesem Zusammenhang Bug #18838 beachten.
Die Tests schlagen teilweise immer noch fehl. Aus Jenkins: 00_base/47faillog.Test faillog via ssh: debug 2013-03-11 00:41:19 Locale is en_US.UTF-8:UTF-8 debug 2013-03-11 00:41:19 locale: LANG=en_US.UTF-8 LANGUAGE= LC_CTYPE="en_US.UTF-8" LC_NUMERIC="en_US.UTF-8" LC_TIME="en_US.UTF-8" LC_COLLATE="en_US.UTF-8" LC_MONETARY="en_US.UTF-8" LC_MESSAGES="en_US.UTF-8" LC_PAPER="en_US.UTF-8" LC_NAME="en_US.UTF-8" LC_ADDRESS="en_US.UTF-8" LC_TELEPHONE="en_US.UTF-8" LC_MEASUREMENT="en_US.UTF-8" LC_IDENTIFICATION="en_US.UTF-8" LC_ALL= info 2013-03-11 00:41:19 create user pez6re6q info 2013-03-11 00:41:19 Login with wrong password via ssh Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� error 2013-03-11 00:41:47 E: The login wasn't successful, but faillog is disabled error 2013-03-11 00:41:47 **************** Test failed above this line (110) **************** info 2013-03-11 00:41:48 Login via ssh Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� error 2013-03-11 00:41:55 *** Check failed (110), but this might be caused by the error above *** info 2013-03-11 00:41:55 Login with wrong password via ssh [...] 00_base/47faillog-timed.Test timed faillog via ssh: debug 2013-03-11 00:43:10 Locale is en_US.UTF-8:UTF-8 debug 2013-03-11 00:43:10 locale: LANG=en_US.UTF-8 LANGUAGE= LC_CTYPE="en_US.UTF-8" LC_NUMERIC="en_US.UTF-8" LC_TIME="en_US.UTF-8" LC_COLLATE="en_US.UTF-8" LC_MONETARY="en_US.UTF-8" LC_MESSAGES="en_US.UTF-8" LC_PAPER="en_US.UTF-8" LC_NAME="en_US.UTF-8" LC_ADDRESS="en_US.UTF-8" LC_TELEPHONE="en_US.UTF-8" LC_MEASUREMENT="en_US.UTF-8" LC_IDENTIFICATION="en_US.UTF-8" LC_ALL= info 2013-03-11 00:43:10 create user fönqvnjw info 2013-03-11 00:43:11 Lock after tally Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� info 2013-03-11 00:43:35 Wait for timeout 20 Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� error 2013-03-11 00:44:01 **************** Test failed above this line (ssh login wasn't successful) **************** 47faillog-timed: line 63: exit: ssh: numeric argument required info 2013-03-11 00:44:01 remove user fönqvnjw debug 2013-03-11 00:44:01 user fönqvnjw removed info 2013-03-11 00:44:01 checking whether the user fönqvnjw is really removed debug 2013-03-11 00:44:01 user fönqvnjw does not exist Ich glaube hier sind unterschiedliche Ursachen, die behoben werden sollten: - Login als nicht Domain Admin geht schief - Nach dem Anlegen eines Benutzers mut bestimmter Gruppenzugehörigkeit sollte einmal /usr/lib/univention-pam/ldap-group-to-file.py aufgerufen werden, ansonsten etwas über 15 Sekunden warten - Beim Anlegen über create_user ist die Mail Domäne nicht gesetzt, deshalb geht das Anlegen des Benutzers teilweise schief
ucs-test (3.0.30-1) unstable; urgency=low * corrected certain faillog tests (Bug #19016) svn 39542 Sollten die Tests (oder andere faillog Tests) wieder fehlschlagen sollte das an diesem Bug weiterbehandelt werden.
Die Tests schlagen im Jenkins noch fehl. Ich schiebe den Bug aber weiter, da dies das Release nicht blocken sollte: http://jenkins.knut.univention.de:8080/job/ucs-test_EC2-SingleMaster_64_RESULT/lastCompletedBuild/testReport/%28root%29/00_base_47faillog-timed/Test_timed_faillog_via_ssh/ Standard Fehler (STDERR) debug 2013-03-15 00:45:27 Locale is en_US.UTF-8:UTF-8 debug 2013-03-15 00:45:27 locale: LANG=en_US.UTF-8 LANGUAGE= LC_CTYPE="en_US.UTF-8" LC_NUMERIC="en_US.UTF-8" LC_TIME="en_US.UTF-8" LC_COLLATE="en_US.UTF-8" LC_MONETARY="en_US.UTF-8" LC_MESSAGES="en_US.UTF-8" LC_PAPER="en_US.UTF-8" LC_NAME="en_US.UTF-8" LC_ADDRESS="en_US.UTF-8" LC_TELEPHONE="en_US.UTF-8" LC_MEASUREMENT="en_US.UTF-8" LC_IDENTIFICATION="en_US.UTF-8" LC_ALL= info 2013-03-15 00:45:27 create user z93fxwön info 2013-03-15 00:45:28 Lock after tally Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� info 2013-03-15 00:45:54 Wait for timeout 20 Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� error 2013-03-15 00:46:21 **************** Test failed above this line (ssh login wasn't successful) **************** 47faillog-timed: line 66: exit: ssh: numeric argument required info 2013-03-15 00:46:21 remove user z93fxwön debug 2013-03-15 00:46:21 user z93fxwön removed info 2013-03-15 00:46:21 checking whether the user z93fxwön is really removed debug 2013-03-15 00:46:21 user z93fxwön does not exist http://jenkins.knut.univention.de:8080/job/ucs-test_EC2-SingleMaster_64_RESULT/lastCompletedBuild/testReport/%28root%29/00_base_47faillog/Test_faillog_via_ssh/ ebug 2013-03-15 00:43:40 Locale is en_US.UTF-8:UTF-8 debug 2013-03-15 00:43:40 locale: LANG=en_US.UTF-8 LANGUAGE= LC_CTYPE="en_US.UTF-8" LC_NUMERIC="en_US.UTF-8" LC_TIME="en_US.UTF-8" LC_COLLATE="en_US.UTF-8" LC_MONETARY="en_US.UTF-8" LC_MESSAGES="en_US.UTF-8" LC_PAPER="en_US.UTF-8" LC_NAME="en_US.UTF-8" LC_ADDRESS="en_US.UTF-8" LC_TELEPHONE="en_US.UTF-8" LC_MEASUREMENT="en_US.UTF-8" LC_IDENTIFICATION="en_US.UTF-8" LC_ALL= info 2013-03-15 00:43:40 create user eubgördd info 2013-03-15 00:43:41 Login with wrong password via ssh Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� error 2013-03-15 00:44:05 E: The login wasn't successful, but faillog is disabled error 2013-03-15 00:44:05 **************** Test failed above this line (110) **************** info 2013-03-15 00:44:05 Login via ssh Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� error 2013-03-15 00:44:11 *** Check failed (110), but this might be caused by the error above *** info 2013-03-15 00:44:11 Login with wrong password via ssh Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� error 2013-03-15 00:44:24 *** Check failed (110), but this might be caused by the error above *** Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� info 2013-03-15 00:44:31 Reset counter for eubgördd info 2013-03-15 00:44:31 Normal ssh login Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� error 2013-03-15 00:44:36 *** Check failed (110), but this might be caused by the error above *** info 2013-03-15 00:44:36 Login with wrong password Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� error 2013-03-15 00:44:43 *** Check failed (110), but this might be caused by the error above *** info 2013-03-15 00:44:43 Reset counter with a success login Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� error 2013-03-15 00:44:49 *** Check failed (110), but this might be caused by the error above *** error 2013-03-15 00:44:49 *** Check failed (110), but this might be caused by the error above *** info 2013-03-15 00:44:49 Activate global lock and a diffrent limit Account locked due to 10 failed logins � Account locked due to 11 failed logins � Account locked due to 12 failed logins � Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Account locked due to 13 failed logins � Account locked due to 14 failed logins � Account locked due to 15 failed logins � Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� error 2013-03-15 00:44:52 *** Check failed (110), but this might be caused by the error above *** Account locked due to 16 failed logins � Account locked due to 17 failed logins � Account locked due to 18 failed logins � Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Account locked due to 19 failed logins � Account locked due to 20 failed logins � Account locked due to 21 failed logins � Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Account locked due to 22 failed logins � Account locked due to 23 failed logins � Account locked due to 24 failed logins � Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).� error 2013-03-15 00:45:03 *** Check failed (110), but this might be caused by the error above *** info 2013-03-15 00:45:03 remove user eubgördd debug 2013-03-15 00:45:04 user eubgördd removed info 2013-03-15 00:45:04 checking whether the user eubgördd is really removed debug 2013-03-15 00:45:05 user eubgördd does not exist W: The config registry variable 'auth/faillog/lock_global' does not exist W: The config registry variable 'auth/faillog/lock_global' does not exist
Nur einer der faillog Tests schlägt immer noch fehl. Das liegt daran, dass das tallying von kerberos und samba4 nicht ausgewertet wird, weshalb ein Benutzer der aufgrund einer zu hohen Zahl fehlgeschlagener Loginversuche bereits gesperrt sein sollte sich immer noch gegen die jeweiligen Dienste authentifizieren kann. Ich habe den Test daher für ucs-3.2-0 deaktiviert. ucs-test (4.0.133-1) svn r44697 Aus der Doku: "Das automatische Sperren von Benutzern nach fehlgeschlagenen Anmeldungen kann durch Setzen der Univention Configuration Registry-Variable auth/faillog auf yes aktiviert werden. Die Obergrenze an fehlerhaften Passworteingaben, bei der eine Kontosperre aktiviert wird, wird in der Univention Configuration Registry-Variable auth/faillog/limit konfiguriert. Nach einer korrekten Passworteingabe wird der Zähler jedesmal wieder zurückgesetzt." -> hier wird mit keinem Wort erwähnt, dass dieser Mechanismus für samba4 und kerberos nicht unterstützt wird, daher sollte dem auf den Grund gegangen werden: Bug #32796
OK: r44697,r39542 OK: ChangeLog OK: 00_base/47fail* @ Jenkins Autotest
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".