Bug 52893 – ppolicy password lockout sometimes doesn't trigger Samba/AD password lockout

Bug 52893 - ppolicy password lockout sometimes doesn't trigger Samba/AD password lockout


Summary:	ppolicy password lockout sometimes doesn't trigger Samba/AD password lockout

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 4.4
Hardware:	Other Mac OS X 10.1

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:	Samba maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-03-11 09:28 CET by Daniel Duchon
Modified:	2023-01-05 08:31 CET (History)
CC List:	8 users (show)

See Also:	40328 52892 52902 52933 55501
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	4: A User would return the product
User Pain:	0.229
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:	Yes
Flags outvoted (downgraded) after PO Review:
Ticket number:	2021030921000766, 2021121421000141
Bug group (optional):
Max CVSS v3 score:

Attachments
check-password-lockout.sh (10.17 KB, application/x-shellscript) 2021-03-14 21:34 CET, Arvid Requate	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Duchon

2021-03-11 09:28:50 CET

If a user is locked out due to too many login attempts, Kerberos ignores it.

This results in the password security policy not taking effect with Kerberos. So a brute-force attack is still possible.

Comment 1 Arvid Requate

2021-03-11 13:26:31 CET

Could you elaborate? In Samba/AD domains the KDC is actually provided by Samba,
so this would be a bug in Samba, not in vanilla Heimdal KDC.
I'll change the Bug component accordingly.

Comment 2 Arvid Requate

2021-03-14 20:48:15 CET

Ok, I in my manual tests I could trigger a timing issue between OpenLDAP/ppolicy lockout
and the S4-Connector:

* S4-Connector sync-ping-pong-timing may leave sambaAcctFlags unlocked.
  This depends on the timing of the failing LDAP bind attempts.
  The test protocol below (Test case 4) shows the good, intended behavior,
  but I'll attach a script that shows (in the code) how the timing
  can be changed to trigger the Bug.



In my pretty extensive manual tests I observed this situation:

* Lockout via LDAP-bind/ppolicy also triggers UDM lockout
  and is synchronized to Samba/AD (Kerberos & SMB logon) via S4-Connector

* Lockout via Samba/AD (Kerberos & SMB logon) synchronizes the lockout state
  to OpenLDAP sambaAcctFlags, which correctly shows the account as locked in UMC/UDM
  But: The S4-Connector doesn't yet attempt to also lock the account for ppolicy/LDAP-binds,
  So LDAP simple bind is not locked then. -> Bug 52902

* UDM password lockout (triggered either via LDAP-simplebind/ppolicy or Samba/AD) doesn't
  lockout PAM based authentication -> Bug 52892

* badPwdCount is incremented by  steps of 2: Looks similar to Bug #40328


Note: Depending on the actualy usecase of login flow there are several combinations to test:

I) Lockout triggered by
a) failed user login against Samba/AD (SMB or Kerberos)
b) failed user login against OpenLDAP/UDM (ldapbind or UDM)
c) failed user login against PAM (e.g. UMC or ssh)
d) failed user login against SAML

II) Unlock triggered
a) by good user login against Samba/AD (SMB or Kerberos)
b) by good user login against OpenLDAP/UDM (ldapbind or UDM)
c) by good user login against PAM (e.g. UMC or ssh)
d) by good user login against SAML
e) by admin (via UMC/UDM)


I only checked I.a)-I.c) and matching II.a)-II.c) here:

==================================================
### Test protocol:
root@dc0:~# lsb_release -r
Release:        4.4-7 errata907

# Samba/AD Domain Password policy:
root@dc0:~# samba-tool domain passwordsettings show
Password informations for domain 'DC=samltest,DC=intranet'

Password complexity: on
Store plaintext passwords: off
Password history length: 0
Minimum password length: 8
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 5
Account lockout threshold (attempts): 5
Reset account lockout after (mins): 5

# UCS faillog/pam_tally policy:
root@dc0:~# ucr search --brief faillog
auth/faillog/limit: <empty>
auth/faillog/lock_global: yes
auth/faillog/root: <empty>
auth/faillog/unlock_time: 300
auth/faillog: yes

# UCS ppolicy config:
root@dc0:~# ucr search --brief ppolicy
ldap/ppolicy/default: <empty>
ldap/ppolicy/enabled: yes
ldap/ppolicy: yes

root@dc0:~# univention-ldapsearch -LLL \
  -b "cn=default,cn=ppolicy,cn=univention,dc=samltest,dc=intranet" \
  -s base pwdLockout pwdMaxFailure pwdLockoutDuration pwdFailureCountInterval
dn: cn=default,cn=ppolicy,cn=univention,dc=samltest,dc=intranet
pwdLockout: TRUE
pwdMaxFailure: 5
pwdLockoutDuration: 300
pwdFailureCountInterval: 300


### Test 1) Trigger lockout via SMB logon
# 1.1 Check account is ok:
root@dc0:~# ldapsearch -LLL -D uid=user1,cn=users,dc=samltest,dc=intranet -w univention uid=user1 1.1
dn: uid=user1,cn=users,dc=samltest,dc=intranet
root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser1%univention -c showconnect
//dc0.samltest.intranet/sysvol  ## SMB Logon works
root@dc0:~# echo -n univention | kinit --password-file=STDIN user1 && echo ok
ok
root@dc0:~# kdestroy

root@dc0:~# univention-ldapsearch -LLL uid=user1 \
  userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64 
dn: uid=user1,cn=users,dc=samltest,dc=intranet
sambaBadPasswordCount: 0
userPassword: {crypt}$6$...
krb5KDCFlags: 126
sambaAcctFlags: [U          ]
sambaBadPasswordTime: 0

root@dc0:~# univention-s4search samaccountname=user1 | egrep '^(badPwdCount|userAccountControl|lockoutTime): '
userAccountControl: 512
badPwdCount: 0
lockoutTime: 0

root@dc0:~# pam_tally --user user1
User user1      (2014)  has 0

# 1.2 Trigger lockout via SMB
root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser1%wrong -c showconnect
session setup failed: NT_STATUS_LOGON_FAILURE
root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser1%wrong -c showconnect
session setup failed: NT_STATUS_LOGON_FAILURE
root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser1%wrong -c showconnect
session setup failed: NT_STATUS_ACCOUNT_LOCKED_OUT

root@dc0:~# univention-s4search samaccountname=user1 | egrep '^(badPwdCount|userAccountControl|lockoutTime): '
userAccountControl: 512
badPwdCount: 5
lockoutTime: 132601065227525280  ## locked

root@dc0:~# udm users/user list --filter username=user1 | egrep "^ +locked:"
  locked: 1

root@dc0:~# univention-ldapsearch -LLL uid=user1 \
  userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64
dn: uid=user1,cn=users,dc=samltest,dc=intranet
sambaBadPasswordCount: 0
userPassword: {crypt}$6$...
krb5KDCFlags: 126
sambaAcctFlags: [UL         ]    ## Locked for UMC/UDM
sambaBadPasswordTime: 132601065227525280
## Note: ppolicy attributes are not set here

# 1.3 Check Kerberos:
root@dc0:~# echo -n univention | kinit --password-file=STDIN user1
kinit: krb5_get_init_creds: No PKINIT PA found

# Check SMB Logon:
root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser2%univention -c showconnect
session setup failed: NT_STATUS_ACCOUNT_LOCKED_OUT

## Bug 52902: LDAP simple bind is still possible:

root@dc0:~# ldapsearch -LLL -D uid=user1,cn=users,dc=samltest,dc=intranet -w univention uid=user1 1.1
dn: uid=user1,cn=users,dc=samltest,dc=intranet

## Bug 52892: PAM authentication is still possible:

root@dc0:~# pam_tally --user user1
User user1      (2014)  has 0

## But the account is shown es locked in UDM:
root@dc0:~# udm users/user list --filter username=user1 | egrep "^ +locked:"
  locked: 1


### Test 2) Trigger lockout via Kerberos:
## 2.1 Check account is ok:
root@dc0:~# ldapsearch -LLL -D uid=user2,cn=users,dc=samltest,dc=intranet -w univention uid=user2 1.1
dn: uid=user2,cn=users,dc=samltest,dc=intranet
root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser2%univention -c showconnect && echo ok
//dc0.samltest.intranet/sysvol  ## SMB Logon works
ok
root@dc0:~# echo -n univention | kinit --password-file=STDIN user2 && echo ok
ok
root@dc0:~# kdestroy

root@dc0:~# univention-ldapsearch -LLL uid=user2 \
  userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64 
dn: uid=user2,cn=users,dc=samltest,dc=intranet
sambaBadPasswordCount: 0
userPassword: {crypt}$6$...
krb5KDCFlags: 126
sambaAcctFlags: [U          ]
sambaBadPasswordTime: 0

root@dc0:~# univention-s4search samaccountname=user2 | egrep '^(badPwdCount|userAccountControl|lockoutTime): '
userAccountControl: 512
lockoutTime: 0
badPwdCount: 0

root@dc0:~# pam_tally --user user2
User user2      (2015)  has 0

## 2.2 Trigger lockout via Kerberos
root@dc0:~# echo -n wrong | kinit --password-file=STDIN user2
kinit: Password incorrect
root@dc0:~# univention-s4search samaccountname=user2 | egrep '^(badPwdCount|userAccountControl|lockoutTime): '
userAccountControl: 512
lockoutTime: 0
badPwdCount: 2   ## Bug: badPwdCount increased by 2: Looks similar to Bug #40328
root@dc0:~# echo -n wrong | kinit --password-file=STDIN user2
kinit: Password incorrect
root@dc0:~# univention-s4search samaccountname=user2 | egrep '^(badPwdCount|userAccountControl|lockoutTime): '
userAccountControl: 512
lockoutTime: 0
badPwdCount: 4
root@dc0:~# echo -n wrong | kinit --password-file=STDIN user2
kinit: krb5_get_init_creds: No PKINIT PA found
root@dc0:~# univention-s4search samaccountname=user2 | egrep '^(badPwdCount|userAccountControl|lockoutTime): '
userAccountControl: 512
badPwdCount: 5
lockoutTime: 132601065227525280

## 2.3 Check SMB Logon
root@dc0:~# kdestroy
root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser2%univention -c showconnect
session setup failed: NT_STATUS_ACCOUNT_LOCKED_OUT


## Bug 52902: LDAP simple bind is still possible:

root@dc0:~# ldapsearch -LLL -D uid=user2,cn=users,dc=samltest,dc=intranet -w univention uid=user2 1.1
dn: uid=user2,cn=users,dc=samltest,dc=intranet

# Bug 52892: PAM authentication is still possible:

root@dc0:~# pam_tally --user user2
User user2      (2015)  has 0

## But the account is shown es locked in UDM:
root@dc0:~# udm users/user list --filter username=user1 | egrep "^ +locked:"
  locked: 1


### Test 3) Trigger via pam_tally:
## 3.1 Check account is ok:
root@dc0:~# ldapsearch -LLL -D uid=user3,cn=users,dc=samltest,dc=intranet -w univention uid=user3 1.1
dn: uid=user3,cn=users,dc=samltest,dc=intranet
root@dc0:~# pam_tally --user user3
User user3      (2016)  has 0
root@dc0:~# univention-ldapsearch -LLL uid=user3 \
  userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64
dn: uid=user3,cn=users,dc=samltest,dc=intranet
sambaBadPasswordCount: 0
userPassword: {crypt}$6$...
krb5KDCFlags: 126
sambaAcctFlags: [U          ]
sambaBadPasswordTime: 0

## 3.2 Trigger lockout via pam_tally
root@dc0:~# su - user1
user1@dc0:~$ su - user3
Passwort: <wrong1>
su: Fehler bei Authentifizierung
# Check Samba/AD counter too, because pam_krb5 is called in pam stack too:
root@dc0:~# univention-s4search samaccountname=user3 badPwdCount | grep '^badPwdCount: '
badPwdCount: 2

user1@dc0:~$ su - user3
Passwort: <wrong2>
su: Fehler bei Authentifizierung
# Check Samba/AD counter too, because pam_krb5 is called in pam stack too:
root@dc0:~# univention-s4search samaccountname=user3 badPwdCount | grep '^badPwdCount: '
badPwdCount: 4

user1@dc0:~$ su - user3
Passwort: <wrong3>
su: Fehler bei Authentifizierung
# Check Samba/AD counter too, because pam_krb5 is called in pam stack too:
root@dc0:~# univention-s4search samaccountname=user3 badPwdCount | grep '^badPwdCount: '
badPwdCount: 5
# Samba/AD account is locked, albeit a bit too early: Looks similar to Bug #40328
root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser3%univention -c showconnect
session setup failed: NT_STATUS_ACCOUNT_LOCKED_OUT
root@dc0:~# echo -n univention | kinit --password-file=STDIN user3
kinit: krb5_get_init_creds: No PKINIT PA found

# go on with PAM logons:
user1@dc0:~$ su - user3
Passwort: <wrong4>
su: Fehler bei Authentifizierung
user1@dc0:~$ su - user3
Passwort: <wrong5>
su: Fehler bei Authentifizierung
user1@dc0:~$ su - user3
Das Konto ist wegen 6 fehlgeschlagener Anmelde-Versuche gesperrt
# Account is locked
root@dc0:~# pam_tally --user user3
User user3      (2016)  has 6

## 3.3 Check udm state, Kerberos & SMB Logon
root@dc0:~# udm users/user list --filter username=user3 | egrep "^ +locked:"
  locked: 1

root@dc0:~# univention-ldapsearch -LLL uid=user3 \
  userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64
dn: uid=user3,cn=users,dc=samltest,dc=intranet
sambaBadPasswordCount: 0
userPassword: {crypt}$6$vo0uCFCrdkEIPu7M$8MlZnFFcXnCd637TZ4h5GufiYYraOjW7zweHxEMkTN.VmifwAWSwEQf1sWpRKC9DLOLNcTixOMldjNxJ94oUZ1
krb5KDCFlags: 126
sambaAcctFlags: [UL         ]
sambaBadPasswordTime: 132600923570000000

root@dc0:~# univention-s4search samaccountname=user2 badPwdCount | grep '^badPwdCount: '
badPwdCount: 5

### Test 4) Trigger via ppolicy:
## 4.1 Check account is ok:
root@dc0:~# univention-ldapsearch -LLL uid=user4 \
  userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64
dn: uid=user4,cn=users,dc=samltest,dc=intranet
sambaAcctFlags: [U          ]
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
userPassword: {crypt}$6$...
krb5KDCFlags: 126

root@dc0:~# pam_tally --user user4
User user4      (2017)  has 0

root@dc0:~# univention-s4search samaccountname=user4 badPwdCount userAccountControl | egrep '^(badPwdCount|userAccountControl): '
userAccountControl: 512
badPwdCount: 0

root@dc0:~# echo -n univention | kinit --password-file=STDIN user4 && echo ok
ok
root@dc0:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: user4@SAMLTEST.INTRANET

  Issued                Expires               Principal
Mar 13 08:21:18 2021  Mar 13 18:21:18 2021  krbtgt/SAMLTEST.INTRANET@SAMLTEST.INTRANET
root@dc0:~# kdestroy

root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser4%univention -c showconnect
//dc0.samltest.intranet/sysvol  ## SMB Logon works

## 4.2 Trigger lockout via ppolicy
root@dc0:~# ldapsearch -LLL -D uid=user4,cn=users,dc=samltest,dc=intranet -w wrong uid=user4 1.1
ldap_bind: Invalid credentials (49)
root@dc0:~# ldapsearch -LLL -D uid=user4,cn=users,dc=samltest,dc=intranet -w wrong uid=user4 1.1
ldap_bind: Invalid credentials (49)
root@dc0:~# ldapsearch -LLL -D uid=user4,cn=users,dc=samltest,dc=intranet -w wrong uid=user4 1.1
ldap_bind: Invalid credentials (49)
root@dc0:~# ldapsearch -LLL -D uid=user4,cn=users,dc=samltest,dc=intranet -w wrong uid=user4 1.1
ldap_bind: Invalid credentials (49)
root@dc0:~# ldapsearch -LLL -D uid=user4,cn=users,dc=samltest,dc=intranet -w wrong uid=user4 1.1
ldap_bind: Invalid credentials (49)

# Confirm LDAP lockout
root@dc0:~# ldapsearch -LLL -D uid=user4,cn=users,dc=samltest,dc=intranet -w univention uid=user4 1.1 || echo ok
ldap_bind: Invalid credentials (49)
ok

## 4.3 check LDAP attribute state, UDM state, Samba/AD attributes, local faillog, SMB Logon, Kerberos auth

root@dc0:~# univention-ldapsearch -LLL uid=user4 \
  userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64
dn: uid=user4,cn=users,dc=samltest,dc=intranet
sambaBadPasswordCount: 0
userPassword: {crypt}$6$ogrbpJRQrEhP4aLF$U7SiwkCNR5dLOAov0Sb27DihxdH4WvLRoIg0.8TYLPPniql.TZtYK2R/Rlkup53r7MrOvA97wnxN5hWK1DFU71
krb5KDCFlags: 126
pwdFailureTime: 20210313100640.171897Z
pwdFailureTime: 20210313100640.199390Z
pwdFailureTime: 20210313100640.216640Z
pwdFailureTime: 20210313100640.235599Z
pwdFailureTime: 20210313100640.252073Z
sambaBadPasswordTime: 132601036000000000
sambaAcctFlags: [UL         ]
pwdAccountLockedTime: 20210313100640Z

root@dc0:~# udm users/user list --filter username=user4 | egrep "^ +locked:"
  locked: 1

root@dc0:~# univention-s4search samaccountname=user4 | egrep '^(badPwdCount|userAccountControl|lockoutTime): '
userAccountControl: 512
badPwdCount: 0
lockoutTime: 132600937780000000   ## Ok, locked

## Check SMB Logon:
root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser4%univention -c showconnect
session setup failed: NT_STATUS_ACCOUNT_LOCKED_OUT

## Check Kerberos auth
root@dc0:~# echo -n univention | kinit --password-file=STDIN user4
kinit: krb5_get_init_creds: No PKINIT PA found

## Check state of local faillog/pam_tally:
root@dc0:~# pam_tally --user user4
User user4      (2017)  has 0

## 4.4 Wait for unlock and check LDAP attribute state, UDM state, Samba/AD attributes, local faillog, SMB Logon, Kerberos auth
root@dc0:~# sleep 300

# Check state of LDAP attributes (should still show the locked state):
root@dc0:~# univention-ldapsearch -LLL uid=user4 \
  userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64
dn: uid=user4,cn=users,dc=samltest,dc=intranet
sambaBadPasswordCount: 0
userPassword: {crypt}$6$ogrbpJRQrEhP4aLF$U7SiwkCNR5dLOAov0Sb27DihxdH4WvLRoIg0.8TYLPPniql.TZtYK2R/Rlkup53r7MrOvA97wnxN5hWK1DFU71
krb5KDCFlags: 126
pwdFailureTime: 20210313100640.171897Z
pwdFailureTime: 20210313100640.199390Z
pwdFailureTime: 20210313100640.216640Z
pwdFailureTime: 20210313100640.235599Z
pwdFailureTime: 20210313100640.252073Z
sambaBadPasswordTime: 132601036000000000
sambaAcctFlags: [UL         ]
pwdAccountLockedTime: 20210313100640Z

# Check UDM account state (should still show the locked state):
root@dc0:~# udm users/user list --filter username=user4 | egrep "^ +locked:"
  locked: 1

# Check state of Samba/AD attributes (should still show the locked state):
root@dc0:~# univention-s4search samaccountname=user4 | egrep '^(badPwdCount|userAccountControl|lockoutTime): '
userAccountControl: 512
badPwdCount: 0
lockoutTime: 132601036000000000

# Check SMB Logon works again -> This triggers the unlock in Samba/AD
root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser4%univention -c showconnect && echo ok
//dc0.samltest.intranet/sysvol  ## SMB Logon works again
ok

# Check Kerberos auth works again
root@dc0:~# echo -n univention | kinit --password-file=STDIN user4 && echo ok
ok

# Check state of Samba/AD attributes (should show unlocked state now):
root@dc0:~# univention-s4search samaccountname=user4 | egrep '^(badPwdCount|userAccountControl|lockoutTime): '
userAccountControl: 512
badPwdCount: 0
lockoutTime: 0


# Check state of LDAP attributes (should show sambaAcctFlags unlocked but still show the ppolicy locked state):
root@dc0:~# univention-ldapsearch -LLL uid=user4 \
  userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64
dn: uid=user4,cn=users,dc=samltest,dc=intranet
sambaBadPasswordCount: 0
userPassword: {crypt}$6$ogrbpJRQrEhP4aLF$U7SiwkCNR5dLOAov0Sb27DihxdH4WvLRoIg0.8TYLPPniql.TZtYK2R/Rlkup53r7MrOvA97wnxN5hWK1DFU71
krb5KDCFlags: 126
pwdFailureTime: 20210313100640.171897Z
pwdFailureTime: 20210313100640.199390Z
pwdFailureTime: 20210313100640.216640Z
pwdFailureTime: 20210313100640.235599Z
pwdFailureTime: 20210313100640.252073Z
pwdAccountLockedTime: 20210313100640Z
sambaAcctFlags: [U          ]
sambaBadPasswordTime: 0

# Check UDM account state (should show the unlocked state):
root@dc0:~# udm users/user list --filter username=user4 | egrep "^ +locked:"
  locked: 0

# Check LDAP bind (should work now):
root@dc0:~# ldapsearch -LLL -D uid=user4,cn=users,dc=samltest,dc=intranet -w univention uid=user4 1.1 || echo ok
dn: uid=user4,cn=users,dc=samltest,dc=intranet

# Check state of LDAP attributes (should show full unlocked state now):
root@dc0:~# univention-ldapsearch -LLL uid=user4 \
  userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64
dn: uid=user4,cn=users,dc=samltest,dc=intranet
sambaBadPasswordCount: 0
userPassword: {crypt}$6$ogrbpJRQrEhP4aLF$U7SiwkCNR5dLOAov0Sb27DihxdH4WvLRoIg0.8TYLPPniql.TZtYK2R/Rlkup53r7MrOvA97wnxN5hWK1DFU71
krb5KDCFlags: 126
sambaAcctFlags: [U          ]
sambaBadPasswordTime: 0

# Check UDM account state (should show unlocked state):
root@dc0:~# udm users/user list --filter username=user4 | egrep "^ +locked:"
  locked: 0


# Check state of Samba/AD attributes (should show unlocked state):
root@dc0:~# univention-s4search samaccountname=user4 | egrep '^(badPwdCount|userAccountControl|lockoutTime): '
userAccountControl: 512
badPwdCount: 0
lockoutTime: 0

root@dc0:~# pam_tally --user user4
User user4      (2017)  has 0
==================================================

Comment 3 Arvid Requate

2021-03-14 21:34:15 CET

Created attachment 10641 [details]
check-password-lockout.sh

This checks Test 4.

Comment 7 Stefan Gohmann

2022-12-19 07:58:28 CET

I set the "Waiting Support" flag because of Ticket #2021121421000141.