Univention Bugzilla – Bug 56570
Flaky 51_samba4/47domain_user_lockout.py — account-lockout-duration resets itself to 30m
Last modified: 2023-09-12 13:13:16 CEST
The test fails from time to time at the last test doing the final login with the *correct* password after waiting 1m+30s for the unlock. (Pdb) p stdout 'session setup failed: NT_STATUS_ACCOUNT_LOCKED_OUT' (Pdb) p stderr 'Kinit for ucs_test_samba4_user_neyf@PHAHN50.QA to access dc20.phahn50.qa failed: Clients credentials have been revoked' I can reproduce this by running the test in a loop; usually it fails after 3-5 runs: while /usr/share/ucs-test/51_samba4/47domain_user_lockout.py -vf; do :;done While debugging this for hours I finally noticed that "Account lockout duration" gets reset to "30" by something: samba-tool domain passwordsettings show … Account lockout duration (mins): 30 # <== should be 1 as set by test itself Account lockout threshold (attempts): 3 Reset account lockout after (mins): 30 <https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-5/job/Installation%20Tests/mode=samba-env/lastCompletedBuild/testReport/51_samba4/47domain_user_lockout/master/> Manual steps: # Create user USER='ucs_test_samba4_user_r15f' PASS='Univention1' ADMIN='Administrator%univention' samba-tool user create "$USER" "$PASS" -U Administrator%univention --debuglevel=1 # Setup password policy samba-tool domain passwordsettings set --account-lockout-duration 1 --account-lockout-threshold 3 -U "$ADMIN" --debuglevel=1 samba-tool domain passwordsettings show # Login with correct / wrong password: for try in '' 1 2 3 do smbclient "//$HOSTNAME/$USER" -U "${USER}%${PASS}${try}" --use-kerberos=required -t 20 -c ls --debuglevel=1 done # This also fails: kinit "$USER" # kinit: krb5_get_init_creds: Clients credentials have been revoked # Show current settings and account samba-tool user show "$USER" samba-tool domain passwordsettings show … # Account lockout duration (mins): 30 # Cleanup samba-tool domain passwordsettings set --account-lockout-duration default --account-lockout-threshold default -U "$ADMIN" --debuglevel=1 samba-tool user delete "$USER" -U "$ADMIN" --debuglevel=1
FYI: I locally changed the test code to print the policy: 1. once just after changing the policy to threshold=3/duration=1 2. again on test failures All my tests this far indicate that the policy is applied correctly, but it gets changed back to 30/1 while the test is running. More precisely: it happens during the first 30s where the test just sleeps: > hist = [] # type: List[str] > hist += dump_pwpolicy() # Here it is 3/1 > > print("# Twiddling thumbs for 30s") # Why? > sleep(30) > > print(f"# Authenticating user '{test_username}' with correct password '{TEST_USER_PASS}'") > hist += dump_pwpolicy() # Here it is back to 3/30 [5.0-5] 073e1ac01e refactor(51_samba4/47domain_user_lockout.py) 2 test/ucs-test/debian/changelog | 6 ++++++ test/ucs-test/tests/51_samba4/47domain_user_lockout.py | 17 +++++++++++++---- 2 files changed, 19 insertions(+), 4 deletions(-) [5.0-5] 500af51d73 refactor(51_samba4/47domain_user_lockout.py) test/ucs-test/tests/51_samba4/47domain_user_lockout.py | 229 +++++++++++++++++++++---------------- 1 file changed, 129 insertions(+), 100 deletions(-) Package: ucs-test Version: 10.0.17-1 Branch: ucs_5.0-0 Scope: ucs5.0-5