likewise-open: allows lockout while disconnected

Are you sure you are in a disconnected state. I don't see it would be possible to do what you describe since the authentication attempt are against a local cache and never sent to the DC.

How are you determining you are a offline state?

I'm sure I'm in a disconnected state, because I'm not physically connected to a network which can reach a DC of the domain in question.

I'm not talking about a lockout of the account on the DC, I'm talking about a lockout implemented by likewise-open on its local cache.

The exact error is: "The account has been automatically locked out due to too many invalid attempts to logon or change the password".

I can't reproduce that.
With the DC shut down I've ssh-ed in and typed 15 wrong passwords... but could still connect using cached credentials on the 16th attempt.
Could you please explain what I could do to reproduce the issue ?

I tested by disabling the network (unchecking "Enable networking" on the network manager applet in GNOME). I've also done it by simply unplugging the network cable.

I used 'su - $USER', using a gnome-terminal session while logged in to the GNOME desktop.

One incorrect, then one correct, allowed me to log in (using cached credentials).
Two incorrect, then one correct, allowed me to log in (again, using cached credentials).

Three incorrect, then one correct, did not allow me to log in, giving the above error.

'sudo -i' gave similar results, although it prompted multiple times for the password at one invocation rather than simply reporting 'Authentication failure' at the first failed attempt on each invocation.

In both cases, a correct password on the fourth or greater attempt will display the error.

I tried to reproduce with the exact same instructions with likewise-open on a Jaunty desktop, without success.
Three incorrect, then one correct, I can still log in with cached creds, as expected.

Could you please indicate what version of Ubuntu you're running, and the version of the likewise-open package.
The error message you get should only be returned if the DC locked the account. So if you can still reproduce it, could you check the status of the domain account before and after the test.

Ubuntu Jaunty, likewise-open version 4.1.2982-0ubuntu2.

The domain account is never locked out, because the incorrect passwords were entered with the machine disconnected from the network. Therefore there is no way for the DC to even know about the login attempts.

relevant sections of my pam config files (as set up by pam-auth update; comments are removed.

common-auth:
auth [success=2 default=ignore] pam_lwidentity.so
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so

common-account:
account [success=2 default=ignore] pam_lwidentity.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so

common-session:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_lwidentity.so
session required pam_unix.so
session optional pam_ck_connector.so nox11

turning on debug in pam_lwidentity.conf, my /var/log/auth.log tells me the following:

May 5 12:25:55 host su[8722]: pam_lwidentity(su:auth): PAM config: global:krb5_ccache_type 'FILE'
May 5 12:25:55 host su[8722]: pam_lwidentity(su:auth): failed to get GP info
May 5 12:25:55 host su[8722]: pam_lwidentity(su:auth): [pamh: 0x80dc138] ENTER: pam_sm_authenticate (flags: 0x0000)
May 5 12:25:55 host su[8722]: pam_lwidentity(su:auth): getting password (0x00000000)
May 5 12:25:56 host su[8722]: pam_lwidentity(su:auth): Verify user 'DOMAIN\user'
May 5 12:25:56 host su[8722]: pam_lwidentity(su:auth): enabling krb5 login flags
May 5 12:25:56 host su[8722]: pam_lwidentity(su:auth): enabling cached login flag
May 5 12:25:56 host su[8722]: pam_lwidentity(su:auth): enabling request for a FILE krb5 ccache type
May 5 12:25:56 host su[8722]: pam_lwidentity(su:auth): request failed: Logon failure, WBL error was Logon failed due to bad username or password (6), NT error was NT_STATUS_LOGON_FAILURE, PAM error 7
May 5 12:25:56 host su[8722]: pam_lwidentity(su:auth): [pamh: 0x80dc138] LEAVE: pam_sm_authenticate returning 7

May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): PAM config: global:krb5_ccache_type 'FILE'
May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): failed to get GP info
May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): [pamh: 0x8471138] ENTER: pam_sm_authenticate (flags: 0x0000)
May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): getting password (0x00000000)
May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): Verify user 'DOMAIN\user'
May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): enabling krb5 login flags
May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): enabling cached login flag
May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): enabling request for a FILE krb5 ccache type
May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): request failed: Logon failure, WBL error was Logon failed due to bad username or password (6), NT error was NT_STATUS_LOGON_FAILURE, PAM error 7
May 5 12:25:59 host su[8726]: pam_lwidentity(su:auth): [pamh: 0x8471138] LEAVE: pam_sm_authenticate returning 7

May 5 12:26:02 host su[8727]: pam_lwidentity(su:auth): PAM config: global:krb5_ccache_type 'FILE'
May 5 12:26:02 host su[8727]: pam_lwidentity(su:auth): failed to get GP info
May 5 12:26:02 host su[8727]: pam_lwidentity(su:auth): [pamh: 0x84ac138] ENTER: pam_sm_authenticate (flags: 0x0000)
May 5 12:26:02 host su[8727]: pam_lwidentity(su:auth): getting password (0x00000000)
May 5 12:26:03 host su[8727]: pam_lwidentity(su:auth): Verify user 'DOMAIN\user'
May 5 12:26:03 host su[8727]: pam_lwidentity(su:auth): enabling krb5 login flags
May 5 12:26:03 host su[8727]: pam_lwidentity(su:auth): enabling cached login flag
May 5 12:26:03 host su[8727]: pam_lwidentity(su:auth): enabling request for a FILE krb5 ccache type
May 5 12:26:03 host su[8727]: pam_lwidentity(su:auth): request failed: Logon failure, WBL error was Logon failed due to bad username or password (6), NT error was NT_STATUS_LOGON_FAILURE, PAM error 7
May 5 12:26:03 host su[8727]: pam_lwidentity(su:auth): [pamh: 0x84ac138] LEAVE: pam_sm_authentica...

I reproduce the exact same log lines when I am connected to the DC, once I set up the lockout policy.

However when I'm disconnected, I get the same logs for the first 3 attempts but the 4th one (with the right password) succeeds with:
...
pam_lwidentity(su:auth): enabling request for a FILE krb5 ccache type
pam_lwidentity(su:auth): Received UPN of user@DOMAIN user@DOMAIN
pam_lwidentity(su:auth): User DOMAIN\user logged on using cached credentials
...

Did you set anything special in pam_lwidentity.conf or lwiauthd.conf ? Can you reproduce the issue on a clean setup ?

I am working to deploy Ubuntu 9.04 in a medium sized Windows network, using Likewise-open for domain authentication... and I have seen this happen on two separate occasions over the course of about 4 months. I don't have any log files or anything, but here is what I experienced.

1) I went on vacation and let my password expire. I came in to work and changed my password on a Windows PC. When I logged on to my Ubuntu laptop, I used cached credentials (as I do everyday, due to PEAP authentication on the wireless) and all was good for a few hours. My domain account started getting locked out on the DC, so I rebooted my Ubuntu laptop to try and update my credentials while hard wired in to the network. The "account" became locked on the Ubuntu machine, and would not let me login. The error was simply "Authentiction Failed". After waiting it out for approximately 2 hours, I could login again.

2) I had a user on a slow laptop as a test subject for Ubuntu to see if it was a viable option for working in a Windows environment of SQL servers, Terminal Servers, IM, Email, etc... and found that after serveral months of testing was fine. I issued a new, faster laptop to said user, and while hard wired in to the network was able to successfully login and transfer all of their files. The next morning, while hard wired in to the network - the user could not login... error was simply "Authenticaiton Failed".
As a workaround had them login as the root user... then after about a 2 hour wait, they could login using their domain account.

I would like to know what function is failing, &/or how to "unlock" an account when this happens.

- Justin

Justin, I think your problem is different than this one. All your problems occur while connected to the network.

Thierry: i have not touched lwiauthd.conf or pam_lwidentity.conf, except to turn on debugging in pam_lwidentity.conf

[Expired for likewise-open (Ubuntu) because there has been no activity for 60 days.]