You are not logged in.

#1 2020-08-25 06:49:58

waldauf
Member
Registered: 2012-07-15
Posts: 133

[SOLVED] User account is locked without evident reason

Hello,

I have trouble log in into my system. After reboot, I see the SDDM login screen. This is one place where I can log in. I'm not possible to unlock screen saver or in TTY where I see (after login attempt):

Arch Linux 5-8-3-arch1-1 (tty5)
jenpockej login: waldauf
The account is locked due to 3 failed logins.
(7 minutes left to unlock)

... countdown doesn't work because I'm not possible to log in after 7 minutes. I waited 10 minutes but without success.

Also sudo doesn't work.


journalctl logs - these lines are repeated every time

Aug 25 08:42:18 jenpockej sudo[83645]: pam_systemd_home(sudo:auth): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.
Aug 25 08:42:18 jenpockej sudo[83647]: pam_unix(sudo:auth): conversation failed
Aug 25 08:42:18 jenpockej sudo[83647]: pam_unix(sudo:auth): auth could not identify password for [waldauf]
Aug 25 08:42:18 jenpockej dbus-daemon[1037]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.1201' (uid=0 pid=83647 comm="sudo smartctl -a /dev/nvme0n1 ")
Aug 25 08:42:18 jenpockej dbus-daemon[1037]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.home1.service': Unit dbus-org.freedesktop.home1.service not found.

chage -l waldauf

Last password change                                    : Mar 05, 2019
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

/etc/pam.d/system-login:

#%PAM-1.0

auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
-session   optional   pam_systemd.so
session    required   pam_env.so           user_readenv=1

/etc/security/faillock.conf:

# Configuration for locking the user after multiple failed
# authentication attempts.
#
# The directory where the user files with the failure records are kept.
# The default is /var/run/faillock.
# dir = /var/run/faillock
#
# Will log the user name into the system log if the user is not found.
# Enabled if option is present.
# audit
#
# Don't print informative messages.
# Enabled if option is present.
# silent
#
# Don't log informative messages via syslog.
# Enabled if option is present.
# no_log_info
#
# Only track failed user authentications attempts for local users
# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
# The `faillock` command will also no longer track user failed
# authentication attempts. Enabling this option will prevent a
# double-lockout scenario where a user is locked out locally and
# in the centralized mechanism.
# Enabled if option is present.
# local_users_only
#
# Deny access if the number of consecutive authentication failures
# for this user during the recent interval exceeds n tries.
# The default is 3.
# deny = 3
#
# The length of the interval during which the consecutive
# authentication failures must happen for the user account
# lock out is <replaceable>n</replaceable> seconds.
# The default is 900 (15 minutes).
# fail_interval = 900
#
# The access will be re-enabled after n seconds after the lock out.
# The value 0 has the same meaning as value `never` - the access
# will not be re-enabled without resetting the faillock
# entries by the `faillock` command.
# The default is 600 (10 minutes).
# unlock_time = 600
#
# Root account can become locked as well as regular accounts.
# Enabled if option is present.
# even_deny_root
#
# This option implies the `even_deny_root` option.
# Allow access after n seconds to root account after the
# account is locked. In case the option is not specified
# the value is the same as of the `unlock_time` option.
# root_unlock_time = 900
#
# If a group name is specified with this option, members
# of the group will be handled by this module the same as
# the root account (the options `even_deny_root>` and
# `root_unlock_time` will apply to them.
# By default, the option is not set.
# admin_group = <admin_group_name>

Any idea how to fix it, please?

Last edited by waldauf (2020-08-25 13:15:49)

Offline

#2 2020-08-25 10:23:39

drrossum
Member
From: Chicago
Registered: 2009-02-24
Posts: 82

Offline

#3 2020-08-25 10:46:28

waldauf
Member
Registered: 2012-07-15
Posts: 133

Re: [SOLVED] User account is locked without evident reason

Thx for your post. I don't have any *.pacnew file in /etc/pam.d and don't use pam_tally module in login:

# grep tally /etc/pam.d/*
#
# fd -e pacnew 
#

Last edited by waldauf (2020-08-25 10:48:26)

Offline

#4 2020-08-25 13:06:03

seth
Member
Registered: 2012-09-03
Posts: 49,981

Offline

#5 2020-08-25 13:15:29

waldauf
Member
Registered: 2012-07-15
Posts: 133

Re: [SOLVED] User account is locked without evident reason

Thanks seth! I fixed it: In file /etc/security/faillock.conf - I set 'deny = 0'.

But still - I think this is a bug that should be fixed.

Offline

#6 2020-08-25 14:08:35

seth
Member
Registered: 2012-09-03
Posts: 49,981

Re: [SOLVED] User account is locked without evident reason

Hence the bug ;-)

If you can provide additional data there (eg. if you actually fumbled the password 3 or more times to run into this etc.) this might help to fix it.

Edit: sentences need an end…

Last edited by seth (2020-08-25 14:09:33)

Offline

Board footer

Powered by FluxBB