Bug 46978 - UMC without Samba/AD doesn't enforce a bad password lockout policy
UMC without Samba/AD doesn't enforce a bad password lockout policy
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-1-errata
Assigned To: Jannik Ahlers
Arvid Requate
Depends on:
  Show dependency treegraph
Reported: 2018-05-08 15:53 CEST by Arvid Requate
Modified: 2018-07-11 15:09 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.137
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018050721000094
Bug group (optional):
Max CVSS v3 score:

patch_umc_pam_template_to_use_pam_tally.sh (1.28 KB, application/x-shellscript)
2018-05-08 15:56 CEST, Arvid Requate

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-05-08 15:53:35 CEST
Ticket #2018050721000094 reported a case where the customer had no Samba/AD installed but wanted to configure a bad password lockout policy. After configuring auth/faillog=yes auth/faillog/lock_global=yes and ppolicy the UMC still did not track bad logon attempts.
Comment 1 Arvid Requate univentionstaff 2018-05-08 15:56:56 CEST
Created attachment 9524 [details]

The attached patch may be useful to add the required pam_tally calls to a template subfile


and registers it by appending to


After that, a ucr commit /etc/pam.d/univention-management-console should configure the UMC pam stack according to the setting of auth/faillog/.*

I guess we should implement something like this directly in the product.
Comment 2 Christian Völker univentionstaff 2018-05-11 11:45:41 CEST
Same issue appeared in the forum:

Comment 3 Arvid Requate univentionstaff 2018-05-14 15:25:57 CEST
Ok, I've added this to the UMC Board for prioritization.
Comment 4 Jannik Ahlers univentionstaff 2018-07-04 14:02:01 CEST
I put the changes arvids script makes into the univention-management-console package.

b406136b06ff | Bug #46978: YAML

univention-management-console (10.0.6-6)
676e6048386d | Bug #46978: debian changelog

univention-management-console (10.0.6-5)
c84f144894f4 | Bug #46978: enable bad password lockout in umc

Successful build
Package: univention-management-console
Version: 10.0.6-6A~
Branch: ucs_4.3-0
Scope: errata4.3-1
Comment 5 Quality Assurance univentionstaff 2018-07-04 16:05:22 CEST
--- mirror/ftp/4.3/unmaintained/component/4.3-1-errata/source/univention-management-console_10.0.6-5A~
+++ apt/ucs_4.3-0-errata4.3-1/source/univention-management-console_10.0.6-6A~
@@ -1,6 +1,10 @@
-10.0.6-5A~ [Fri, 15 Jun 2018 15:07:24 +0200] Univention builddaemon <buildd@univention.de>:
+10.0.6-6A~ [Wed, 04 Jul 2018 13:52:19 +0200] Univention builddaemon <buildd@univention.de>:
   * UCS auto build. No patches were applied to the original source package
+10.0.6-6 [Wed, 04 Jul 2018 13:27:42 +0200] Jannik Ahlers <ahlers@univention.de>:
+  * Bug #46978: enable bad password lockout policy in umc
 10.0.6-5 [Fri, 15 Jun 2018 14:39:48 +0200] Jürn Brodersen <brodersen@univention.de>:

Comment 6 Arvid Requate univentionstaff 2018-07-09 18:54:14 CEST
Ok, works.
Comment 7 Arvid Requate univentionstaff 2018-07-11 15:09:05 CEST