Bug 53062 – Server password change can cause ppolicy lockout

Bug 53062 - Server password change can cause ppolicy lockout


Summary:	Server password change can cause ppolicy lockout

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Password changes
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-04-12 16:47 CEST by Dirk Schnick
Modified:	2023-04-17 12:11 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.171
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2021041021000378
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Schnick

2021-04-12 16:47:48 CEST

In a customer environment a server password change caused several ppolicy lockouts; but not every time. I now found that univention-dhcp server is not stopped in pre script. Actual there is host in customer network, that is not configured and dhcp has no pool, so there are several request in the minute. As dhcp is only restarted after the server password change the lockout of machine account happend already during the password change.
But also after a restart of univention-dhcp the lockout took place. I'm not sure but I read the restart not reload the dhcp.config and read the secret from file. So it must be, from my understanding, a stop and a start.

I changed /usr/lib/univention-server/server_password_change.d/univention-dhcp in pre from "nothing to be done..." to 
systemctl stop dhcp

and the nochange and post to
systemctl start univention-dhcp

serverpasswordchange worked without lockout.

Comment 1 Dirk Schnick

2021-04-23 22:26:48 CEST

It looks like the nscd is locking out the machine without changing prechange to stopping the daemon, also. Happened in my test environment two times this evening, but not every time. So not 100% reproduceable.

The problem seems to be, that if the daemons are not stopped (samba can not be stopped as far as I know) they will use the old PW during the change and can lock out the machine then.

Comment 4 Nico Gulden

2023-04-17 12:03:21 CEST

See the discussion at Univention Help: https://help.univention.com/t/server-password-change-on-dc-master-fails-reproducible/21289/8