Univention Bugzilla – Bug 52892
Password lockout in Samba/AD doesn't trigger lockout for PAM based authentication
Last modified: 2023-01-05 08:31:34 CET
+++ This bug was initially created as a clone of Bug #38558 +++ This is still presented and there is a customer, who needs to have a lockout-sync between ldap/pam and samba. At the moment, the lockout is only synced from ldap/pam to samba, but not in the other direction. --- Original bug message: It would be good if the logout state is transfered between the two worlds. Right now the user still can login to the UMC if he was logged out due to to many wrong password entries.
This is implemented since 4.3-0, see Bug #32014. The Ticket sais that the AD-Triggered Lockout get's synchonized to "sambaAcctFlags: [UL ]". The customer describes something in the interaction between PAM-Auth and UDM/LDAP lockout on one hand and locking via faillog on the other hand. Reminds me of Bug #38559.
See also Bug 39817 Comment 5. Need more info.
Ok, I've tested the behavior thoroughly and observed that the faillog.py listener unlocks accounts if the locking state in UDM changed from locked to unlocked. Bug if the password lockout state changes from unlocked to locked in UDM, the listener doesn't set the faillog/pam_tally status to locked. I'll attach a patch. See result of Test 1 in Bug #52893 Comment 2 for details.
Created attachment 10640 [details] Bug52892.patch
I set the "Waiting Support" flag because of Ticket #2021121421000141.