Bug 52892 – Password lockout in Samba/AD doesn't trigger lockout for PAM based authentication

Bug 52892 - Password lockout in Samba/AD doesn't trigger lockout for PAM based authentication


Summary:	Password lockout in Samba/AD doesn't trigger lockout for PAM based authentica...

Status:	REOPENED

Product:	UCS
Classification:	Unclassified
Component:	PAM
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:	38558
Blocks:
	Show dependency tree / graph

Reported:	2021-03-11 09:18 CET by Daniel Duchon
Modified:	2023-01-05 08:31 CET (History)
CC List:	7 users (show)

See Also:	52893 52910
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	4: A User would return the product
User Pain:	0.229
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:	Yes
Flags outvoted (downgraded) after PO Review:
Ticket number:	2021030921000766, 2021121421000141
Bug group (optional):
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Bug52892.patch (1.47 KB, patch) 2021-03-14 20:55 CET, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Duchon

2021-03-11 09:18:49 CET

+++ This bug was initially created as a clone of Bug #38558 +++

This is still presented and there is a customer, who needs to have a lockout-sync between ldap/pam and samba.

At the moment, the lockout is only synced from ldap/pam to samba, but not in the other direction.

---

Original bug message:

It would be good if the logout state is transfered between the two worlds.

Right now the user still can login to the UMC if he was logged out due to to many wrong password entries.

Comment 1 Arvid Requate

2021-03-11 13:32:08 CET

This is implemented since 4.3-0, see Bug #32014. The Ticket sais that the AD-Triggered Lockout get's synchonized to "sambaAcctFlags: [UL         ]".

The customer describes something in the interaction between PAM-Auth and UDM/LDAP lockout on one hand and locking via faillog on the other hand.

Reminds me of Bug #38559.

Comment 2 Arvid Requate

2021-03-11 13:35:31 CET

See also Bug 39817 Comment 5.

Need more info.

Comment 3 Arvid Requate

2021-03-14 20:52:37 CET

Ok, I've tested the behavior thoroughly and observed that the faillog.py listener
unlocks accounts if the locking state in UDM changed from locked to unlocked.

Bug if the password lockout state changes from unlocked to locked in UDM,
the listener doesn't set the faillog/pam_tally status to locked. I'll attach a patch.

See result of Test 1 in Bug #52893 Comment 2 for details.

Comment 4 Arvid Requate

2021-03-14 20:55:08 CET

Created attachment 10640 [details]
Bug52892.patch

Comment 8 Stefan Gohmann

2022-12-19 07:58:21 CET

I set the "Waiting Support" flag because of Ticket #2021121421000141.