Difference between revisions of "Cool Solution - Account lockout"
From Univention Wiki
Revision as of 11:46, 9 July 2018
UCS unifies different methods to authenticate and authorize users. Depending on the installed software components, there can be different mechanisms which count failed login attempts.
No matter how the account has been locked, you can reset it from the Univention Management Console by entering a new password for the user.
Failed Login Counters
UCS without Samba Active Directory
When using UCS without Samba AD, the complete password settings are found in the Univention Configuration Registry. The following variables define the password settings:
||This Variable controls whether the login limits apply. Set it to "yes" to activate the failed login counter|
||Enter an integer to limit the number of failed logins|
||By default root is not limited in the number of passwords one can try. Set this variable to "yes" to subject root to the same checks.|
||By default, each system counts on its own, whether an account is locked. Set this variable to yes to ensure, that the state is saved in the LDAP and the lock is transferred over to all systems|
||By default, the account is active until an administrator resets the password or disables the lock. You can set a time in seconds here if you would like the account to unlock automatically.|
UCS with Samba Active Directory
UCS with Samba AD handles logins on clients differently than logins on servers. The above still applies to any authentication requests against the standard PAM stacks of UCS (such as logins to a UCS server and UCC clients). However, login attempts using Kerberos are handled by Samba AD. To limit those login attempts (e.g. Windows Clients or Ubuntu clients), you need to set a limit in Samba AD itself. To do this, log into the console of your server as root. Once you are logged in, you can use the Samba tools to see and set the applicable password policy. The commands are:
||Shows the currently set password settings|
||Sets the number of minutes an account is locked after too many wrong passwords were entered|
||Sets the number of times a user can try to enter a password|
||Sets the time after which the counter is reset. If an account is automatically unlocked, but the counter is not reset, then a single wrong password will lock the account again.|
Synchronization between the two
As of UCS 4.2 the two counters are not synchronized. This means, that a user, can in theory try to login first on a Windows Client and then on UCS. However, once one of the counters is hit, the lockout state of the account will be synchronized and the login will not be possible at any of the two (if auth/faillog/lock_global has been enabled).
In UCS 4.3 the Samba/AD lockout state is also shown in UMC and an account lockout can be reset via UMC too. If auth/faillog/lock_global has been activated on a server, then an excess of PAM login failures to that server triggers not only lockout but deactivates the account. This account state is also shown and manageable in the UMC.
Ubuntu client integration
The Ubuntu integration makes heavy use of
sssd to cache credentials. To lock the client even if it cannot reach the server, set the following entries in the PAM configuration:
||How many failed logins are allowed, while the server cannot be reached|
||How long, before the sure can try again to log in after the threshold has been reached|
Please note, that these settings only apply while the client cannot reach any UCS Server. Once a Server becomes available, the client will report any failed logins and apply the server settings to these failed logins.