Scalix Forums

Skip to content

Accounts Locked Out

Discuss the Scalix Server software

Moderators: ScalixSupport, admin

Post Reply
mito
Posts: 194
Joined: Fri Mar 24, 2006 11:33 am

Postby mito » Tue Jul 17, 2007 10:24 am

ametade wrote:Hi there,

I'm having the same problem with half of the email accounts mysteriously locked at a Scalix 11.1.0 server. Did anybody managed to understand this strange problem?


Unfortunately I never was able to figure out what was locking them, and I finally just gave up trying for a while. I have made this script to unlock all accounts during the daily maintenance cycle, which isn't quite secure, but what I had to do to give myself some sanity.

Code: Select all

#!/usr/bin/perl

if ( @array = `/opt/scalix/bin/omshowu -m all -l` ) {
   print "\nThis script lists and unlocks all accounts that are locked out on a daily basis.\n";
   print "\n\n\nAccounts Locked:\n";
   foreach ( @array ) {
      print "$_";
   }

   print "\n\n\nUnlocking Accounts:\n";

   foreach ( @array ) {
      print "\nWorking on " . $_;
      s/\n//g;
#      print ( "ommodu "$_" -k\n" );
      system ( "/opt/scalix/bin/ommodu "$_" -k" );
   }

   print "\n\nAll accounts should now be unlocked!\n";

   }
   else {
      print "\nThere are not any locked out accounts at this time!\n \n \n";
      print "                      YAY!!!!!\n\n";
   }


I just added a line to the ommaint daily portion calling this script, the same way I have it call my backup script (I run it before my backup, for obvious reasons).

If anyone does come up with some sort of explanation, or a way to finally find out why the accounts are being locked out, I'd love to hear about it!!!

Mito
Top
ametade

Postby ametade » Fri Jul 27, 2007 6:14 am

I haven't yet found a reason for this to happen...

Mito, thanks for your script. I'm using it to unlock the accounts.
Top
mikethebike
Posts: 566
Joined: Mon Nov 28, 2005 4:16 pm
Location: England

Postby mikethebike » Fri Jul 27, 2007 6:34 am

Rather than just unlocking, you may as well set the password retries to no limit

omconfpwd -k 0

I am sure your security guys will not be happy though.

Very strange that nothing is logged in your audit log though, even after setting the log levels.

Mick
Top
mito
Posts: 194
Joined: Fri Mar 24, 2006 11:33 am

Postby mito » Fri Jul 27, 2007 7:20 pm

mikethebike wrote:Rather than just unlocking, you may as well set the password retries to no limit

omconfpwd -k 0

I am sure your security guys will not be happy though.

Very strange that nothing is logged in your audit log though, even after setting the log levels.

Mick


Because this isn't due to someone failing to login to the accounts.... it's happening on it's own... (as I said, there was an account that had a last name that is so obscure that it'd never be guessable, and the user didn't know he had been hired yet so he hadn't tried to check it yet... and yet it was still getting locked out...)

Anyways, I don't know what I did but I haven't had an account locked out for almost two weeks... I'll have to check and see if I can figure out what I did to fix it for future reference...

Mito
Top
mikethebike
Posts: 566
Joined: Mon Nov 28, 2005 4:16 pm
Location: England

Postby mikethebike » Mon Jul 30, 2007 5:33 am

Were the acocunts "locked" or "expired"? Maybe the account is expiring?
omshowpwd will show the number of days before the account will expire (if no-one logs into it)

Maybe check that you have audit logging turned on to see if there are invalid attempts omshowaud
make sure remote client interface is set to 9..gives plenty of info
omconfaud rci 9

You can also see if users have had invalid attempts, and how many by:

omsearch -d userslit -t hh -e s=*/UL-TYPE=PrimeRecip -m s/g/ul-badpwd

The ul-badpwd attribute will keep incrementing even if the account is locked and there continues to be bad login passwords

Mick
Top
AaronM503
Posts: 25
Joined: Thu Jun 14, 2007 10:16 pm

Postby AaronM503 » Thu Aug 02, 2007 4:29 pm

omsearch -d userslit -t hh -e s=*/UL-TYPE=PrimeRecip -m s/g/ul-badpwd


I just can't seem to get this command to work. Does this work for 11.1.0 servers? If it does, could you give a little more detail on what each flag is calling for or what has to be enabled for it to show the ul-badpwd?

I have tried this: omsearch -e S=<user name> and I don't see anything regarding the ul-badpwd. Perhaps I'm using the wrong directory? [/quote]
Top
mikethebike
Posts: 566
Joined: Mon Nov 28, 2005 4:16 pm
Location: England

Postby mikethebike » Fri Aug 03, 2007 10:04 am

mmm...real bad typing!!!!

omsearch -d userlist -t h -e s=*/UL-TYPE=PrimeRecip -m s/g/ul-badpwd

so "omsearch -d userlist"
search the "userlist" directory...where most of the mailbox account details are held

-t h

type of directory is "hidden"

-e s=*/UL-TYPE=PrimeRecip

s=*...all mailboxes with a surname defined, type of entry i prime receipient

-m

the attributes to be returned...it would look real messy with all the attributes

Mick
Top
chris
Scalix Star
Scalix Star
Posts: 321
Joined: Mon May 09, 2005 2:56 pm
Location: Freiburg, Germany

Postby chris » Sat Aug 11, 2007 5:32 am

Hi - something is clearly strange here.

First off - how are you configuring auditing? Are you setting audit levels with omconfaud, or changing the audit.cfg?

I'd recommend leaving the .cfg vanilla - you can get an original copy from /opt/scalix/template/release.sys/audit.cfg which would probably be a good start.

Then configure auditing with omconfaud (check with omshowaud)

At this point the audit log should start getting filled.

The next thing I'd be curious about would be the bad password count for those users. Do an omsearch -e "UL-BADPWD=*" -t h -d userlist -s -m cn/ul-badpwd - that'll give you the names of anyone with failed login attmpts and the number of failed logins. You might even want to run a cron job doing that every 10 minutes for 24 hours just to see if there are bad logins at night or something.

Let us know about both of the above and we'll see if we can't progress this.

Chris
Top
massspec

Postby massspec » Tue Oct 09, 2007 4:01 pm

Has this issues been resolved? I am getting random lock outs from users as well. When I run the command

omsearch -e "UL-BADPWD=*" -t h -d userlist -s -m cn/ul-badpwd

I see the user that is locked, but sometime that users profile in SAC will not show the user locked, sometimes it will. However I am able to unlock that user with the command

ommodu "username" -k

thanks!
Top
kcsc
Posts: 62
Joined: Thu Oct 04, 2007 11:35 am
Location: US

Postby kcsc » Tue Dec 11, 2007 12:32 pm

Code: Select all

omtidyallu -d -k -T w -a 30 -or -a c -T p -a 30


seems to increament BADPWD on several accounts but not all. I think my SA-LEARN script using mailboxadmin my also be doing this have not verified that one yet. The omtidyallu does seem to preform the expected task on all users. Is there something wrong with the use of this command. It doesn't seam to increament or not increament users that follow any pattern, but does seam to effect most users. Anyway these two functions may be the cause of other peoples problems of lockouts as well.
Top
Richard Hall
Scalix
Scalix
Posts: 147
Joined: Fri May 20, 2005 5:37 am

Postby Richard Hall » Thu Dec 13, 2007 9:51 am

Thanks for tracking this problem down. I've added a bug report for it:
http://bugzilla.scalix.com/show_bug.cgi?id=16317

Cheers - Richard
Top
Mon1018
Posts: 14
Joined: Sat Oct 20, 2007 5:38 am
Contact:
Contact Mon1018

Postby Mon1018 » Sun Dec 16, 2007 5:50 am

is that you leaves their PC logged in with some automatic email logins?
so.. :shock:
Top
Post Reply

Return to “Scalix Server”



Who is online

Users browsing this forum: No registered users and 3 guests

Powered by phpBB® Forum Software © phpBB Limited
 

 

cron