[Bug 314623] Re: likewise-open: allows lockout while disconnected
Thierry: i have not touched lwiauthd.conf or pam_lwidentity.conf, except to turn on debugging in pam_lwidentity.conf -- likewise-open: allows lockout while disconnected https://bugs.launchpad.net/bugs/314623 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to likewise-open in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 314623] Re: likewise-open: allows lockout while disconnected
Justin, I think your problem is different than this one. All your problems occur while connected to the network. -- likewise-open: allows lockout while disconnected https://bugs.launchpad.net/bugs/314623 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to likewise-open in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 314623] Re: likewise-open: allows lockout while disconnected
I am working to deploy Ubuntu 9.04 in a medium sized Windows network, using Likewise-open for domain authentication... and I have seen this happen on two separate occasions over the course of about 4 months. I don't have any log files or anything, but here is what I experienced. 1) I went on vacation and let my password expire. I came in to work and changed my password on a Windows PC. When I logged on to my Ubuntu laptop, I used cached credentials (as I do everyday, due to PEAP authentication on the wireless) and all was good for a few hours. My domain account started getting locked out on the DC, so I rebooted my Ubuntu laptop to try and update my credentials while hard wired in to the network. The "account" became locked on the Ubuntu machine, and would not let me login. The error was simply "Authentiction Failed". After waiting it out for approximately 2 hours, I could login again. 2) I had a user on a slow laptop as a test subject for Ubuntu to see if it was a viable option for working in a Windows environment of SQL servers, Terminal Servers, IM, Email, etc... and found that after serveral months of testing was fine. I issued a new, faster laptop to said user, and while hard wired in to the network was able to successfully login and transfer all of their files. The next morning, while hard wired in to the network - the user could not login... error was simply "Authenticaiton Failed". As a workaround had them login as the root user... then after about a 2 hour wait, they could login using their domain account. I would like to know what function is failing, &/or how to "unlock" an account when this happens. - Justin -- likewise-open: allows lockout while disconnected https://bugs.launchpad.net/bugs/314623 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to likewise-open in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 314623] Re: likewise-open: allows lockout while disconnected
I reproduce the exact same log lines when I am connected to the DC, once I set up the lockout policy. However when I'm disconnected, I get the same logs for the first 3 attempts but the 4th one (with the right password) succeeds with: ... pam_lwidentity(su:auth): enabling request for a FILE krb5 ccache type pam_lwidentity(su:auth): Received UPN of u...@domain u...@domain pam_lwidentity(su:auth): User DOMAIN\user logged on using cached credentials ... Did you set anything special in pam_lwidentity.conf or lwiauthd.conf ? Can you reproduce the issue on a clean setup ? -- likewise-open: allows lockout while disconnected https://bugs.launchpad.net/bugs/314623 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to likewise-open in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 314623] Re: likewise-open: allows lockout while disconnected
turning on debug in pam_lwidentity.conf, my /var/log/auth.log tells me the following: May 5 12:25:55 host su[8722]: pam_lwidentity(su:auth): PAM config: global:krb5_ccache_type 'FILE' May 5 12:25:55 host su[8722]: pam_lwidentity(su:auth): failed to get GP info May 5 12:25:55 host su[8722]: pam_lwidentity(su:auth): [pamh: 0x80dc138] ENTER: pam_sm_authenticate (flags: 0x) May 5 12:25:55 host su[8722]: pam_lwidentity(su:auth): getting password (0x) May 5 12:25:56 host su[8722]: pam_lwidentity(su:auth): Verify user 'DOMAIN\user' May 5 12:25:56 host su[8722]: pam_lwidentity(su:auth): enabling krb5 login flags May 5 12:25:56 host su[8722]: pam_lwidentity(su:auth): enabling cached login flag May 5 12:25:56 host su[8722]: pam_lwidentity(su:auth): enabling request for a FILE krb5 ccache type May 5 12:25:56 host su[8722]: pam_lwidentity(su:auth): request failed: Logon failure, WBL error was Logon failed due to bad username or password (6), NT error was NT_STATUS_LOGON_FAILURE, PAM error 7 May 5 12:25:56 host su[8722]: pam_lwidentity(su:auth): [pamh: 0x80dc138] LEAVE: pam_sm_authenticate returning 7 May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): PAM config: global:krb5_ccache_type 'FILE' May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): failed to get GP info May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): [pamh: 0x8471138] ENTER: pam_sm_authenticate (flags: 0x) May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): getting password (0x) May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): Verify user 'DOMAIN\user' May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): enabling krb5 login flags May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): enabling cached login flag May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): enabling request for a FILE krb5 ccache type May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): request failed: Logon failure, WBL error was Logon failed due to bad username or password (6), NT error was NT_STATUS_LOGON_FAILURE, PAM error 7 May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): [pamh: 0x8471138] LEAVE: pam_sm_authenticate returning 7 May 5 12:26:02 host su[8727]: pam_lwidentity(su:auth): PAM config: global:krb5_ccache_type 'FILE' May 5 12:26:02 host su[8727]: pam_lwidentity(su:auth): failed to get GP info May 5 12:26:02 host su[8727]: pam_lwidentity(su:auth): [pamh: 0x84ac138] ENTER: pam_sm_authenticate (flags: 0x) May 5 12:26:02 host su[8727]: pam_lwidentity(su:auth): getting password (0x) May 5 12:26:03 host su[8727]: pam_lwidentity(su:auth): Verify user 'DOMAIN\user' May 5 12:26:03 host su[8727]: pam_lwidentity(su:auth): enabling krb5 login flags May 5 12:26:03 host su[8727]: pam_lwidentity(su:auth): enabling cached login flag May 5 12:26:03 host su[8727]: pam_lwidentity(su:auth): enabling request for a FILE krb5 ccache type May 5 12:26:03 host su[8727]: pam_lwidentity(su:auth): request failed: Logon failure, WBL error was Logon failed due to bad username or password (6), NT error was NT_STATUS_LOGON_FAILURE, PAM error 7 May 5 12:26:03 host su[8727]: pam_lwidentity(su:auth): [pamh: 0x84ac138] LEAVE: pam_sm_authenticate returning 7 May 5 12:26:06 host su[8731]: pam_lwidentity(su:auth): PAM config: global:krb5_ccache_type 'FILE' May 5 12:26:06 host su[8731]: pam_lwidentity(su:auth): failed to get GP info May 5 12:26:06 host su[8731]: pam_lwidentity(su:auth): [pamh: 0x9338138] ENTER: pam_sm_authenticate (flags: 0x) May 5 12:26:06 host su[8731]: pam_lwidentity(su:auth): getting password (0x) May 5 12:26:11 host su[8731]: pam_lwidentity(su:auth): Verify user 'DOMAIN\user' May 5 12:26:11 host su[8731]: pam_lwidentity(su:auth): enabling krb5 login flags May 5 12:26:11 host su[8731]: pam_lwidentity(su:auth): enabling cached login flag May 5 12:26:11 host su[8731]: pam_lwidentity(su:auth): enabling request for a FILE krb5 ccache type May 5 12:26:11 host su[8731]: pam_lwidentity(su:auth): request failed: Account locked out, WBL error was The account has been automatically locked out due to too many invalid attempts to logon or change the password (10), NT error was NT_STATUS_ACCOUNT_LOCKED_OUT, PAM error 11 May 5 12:26:11 host su[8731]: pam_lwidentity(su:auth): [pamh: 0x9338138] LEAVE: pam_sm_authenticate returning 6 -- likewise-open: allows lockout while disconnected https://bugs.launchpad.net/bugs/314623 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to likewise-open in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 314623] Re: likewise-open: allows lockout while disconnected
Ubuntu Jaunty, likewise-open version 4.1.2982-0ubuntu2. The domain account is never locked out, because the incorrect passwords were entered with the machine disconnected from the network. Therefore there is no way for the DC to even know about the login attempts. relevant sections of my pam config files (as set up by pam-auth update; comments are removed. common-auth: auth[success=2 default=ignore] pam_lwidentity.so auth[success=1 default=ignore] pam_unix.so nullok_secure try_first_pass authrequisite pam_deny.so authrequiredpam_permit.so common-account: account [success=2 default=ignore] pam_lwidentity.so account [success=1 new_authtok_reqd=done default=ignore]pam_unix.so account requisite pam_deny.so account requiredpam_permit.so common-session: session [default=1] pam_permit.so session requisite pam_deny.so session requiredpam_permit.so session requiredpam_lwidentity.so session requiredpam_unix.so session optionalpam_ck_connector.so nox11 -- likewise-open: allows lockout while disconnected https://bugs.launchpad.net/bugs/314623 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to likewise-open in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 314623] Re: likewise-open: allows lockout while disconnected
I tried to reproduce with the exact same instructions with likewise-open on a Jaunty desktop, without success. Three incorrect, then one correct, I can still log in with cached creds, as expected. Could you please indicate what version of Ubuntu you're running, and the version of the likewise-open package. The error message you get should only be returned if the DC locked the account. So if you can still reproduce it, could you check the status of the domain account before and after the test. -- likewise-open: allows lockout while disconnected https://bugs.launchpad.net/bugs/314623 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to likewise-open in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 314623] Re: likewise-open: allows lockout while disconnected
I tested by disabling the network (unchecking "Enable networking" on the network manager applet in GNOME). I've also done it by simply unplugging the network cable. I used 'su - $USER', using a gnome-terminal session while logged in to the GNOME desktop. One incorrect, then one correct, allowed me to log in (using cached credentials). Two incorrect, then one correct, allowed me to log in (again, using cached credentials). Three incorrect, then one correct, did not allow me to log in, giving the above error. 'sudo -i' gave similar results, although it prompted multiple times for the password at one invocation rather than simply reporting 'Authentication failure' at the first failed attempt on each invocation. In both cases, a correct password on the fourth or greater attempt will display the error. -- likewise-open: allows lockout while disconnected https://bugs.launchpad.net/bugs/314623 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to likewise-open in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 314623] Re: likewise-open: allows lockout while disconnected
I can't reproduce that. With the DC shut down I've ssh-ed in and typed 15 wrong passwords... but could still connect using cached credentials on the 16th attempt. Could you please explain what I could do to reproduce the issue ? ** Changed in: likewise-open (Ubuntu) Status: New => Incomplete -- likewise-open: allows lockout while disconnected https://bugs.launchpad.net/bugs/314623 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to likewise-open in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 314623] Re: likewise-open: allows lockout while disconnected
I'm sure I'm in a disconnected state, because I'm not physically connected to a network which can reach a DC of the domain in question. I'm not talking about a lockout of the account on the DC, I'm talking about a lockout implemented by likewise-open on its local cache. The exact error is: "The account has been automatically locked out due to too many invalid attempts to logon or change the password". -- likewise-open: allows lockout while disconnected https://bugs.launchpad.net/bugs/314623 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to likewise-open in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 314623] Re: likewise-open: allows lockout while disconnected
Are you sure you are in a disconnected state. I don't see it would be possible to do what you describe since the authentication attempt are against a local cache and never sent to the DC. How are you determining you are a offline state? -- likewise-open: allows lockout while disconnected https://bugs.launchpad.net/bugs/314623 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to likewise-open in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs