Locked Accounts not resetting

[michaelb]

Hi,

Running ZCS 4.5.5 and I have had reported from a user that they are unable to log in.

Checking acctount details, the account is locked as per the configuration for security (5 failed attempts within 1hr locks account for 1hr).

Problem is, the account has not reset. It has been locked for over 24hrs.

Also note that there is a time difference between Zimbra timestamps and system time that is NOT equal to timezone offset.

Any clues.

Thanks.
Michael

zmprov ga <user>

mail: <user>
objectClass: organizationalPerson
objectClass: zimbraAccount
objectClass: amavisAccount
userPassword: VALUE-BLOCKED
zimbraAccountStatus: lockout
zimbraAdminAuthTokenLifetime: 12h
zimbraLastLogonTimestamp: 20070718003646Z
zimbraPasswordEnforceHistory: 0
zimbraPasswordLocked: FALSE
zimbraPasswordLockoutDuration: 1h
zimbraPasswordLockoutEnabled: TRUE
zimbraPasswordLockoutFailureLifetime: 1h
zimbraPasswordLockoutFailureTime: 20070723114149Z
zimbraPasswordLockoutLockedTime: 20070722095815Z
zimbraPasswordLockoutMaxFailures: 5
zimbraPasswordMaxAge: 0
zimbraPasswordMaxLength: 12
zimbraPasswordMinAge: 0
zimbraPasswordMinLength: 6
zimbraPasswordMinLowerCaseChars: 0
zimbraPasswordMinNumericChars: 1
zimbraPasswordMinPunctuationChars: 0
zimbraPasswordMinUpperCaseChars: 0
zimbraPasswordModifiedTime: 20070718004154Z
zimbraPrefTimeZoneId: (GMT+10.00) Canberra / Melbourne / Sydney


From audit.log

2007-07-22 19:58:15,000 INFO [http-80-Processor97] [ua=ZimbraWebClient - IE6 (Win);ip=59.101.221.125;] security - cmd=Auth; account=<user>@pakenhamses.com.au; error=account lockout due to too many failed logins;

[mmorse]

Welcome to the forums,

Are you sure he's not using a client that's trying to re-connect with the bad password? thus hence locking it further...
unlock with:
zmprov ma user@pakenhamses.com.au zimbraAccountStatus active

[michaelb]

mmorse,

Thanks for your reply.

I am aware of how to reset manually. As the original post explains, this account is not being reset back in to an active state after the 1hr timer.

There is no indication that it is even being attampted.

I have checked the logs, and there was a period of approx 12hrs or so where there was no login attempts on this account.

All the users are encouraged to use the web client as we are making extenisve use of the calendar.

Any ideas on where/what to check to see if Zimbra is even attempting to unlock the account?

Regards,
Michael.

[jholder]

ahem-
Please upgrade to 4.5.6

Also, can you reset the account again, then post the output of mailbox.log

[michaelb]

Thank jholder.

I will ivestigate upgrade to 4.5.6 (after problems with upgrade from 4.5.0 to 4.5.5).

I have reset the account and password and logged on as the user (1 attempt failed due to typo in domain) and attached the maillog from toady.

Hope this can shed some light on the problem.

Regards,
Michael

[jholder]

Michael-
I noticed some things in the logs that I asked for our engineering department to look at.

Thanks
john

[michaelb]

John,

I have reviewed the updates made in the newer version. None of the "fixes" have any impact on locked accounts, and in fact, verry few of them actually have any impact on the Community Version (most seemed to deal with Network Edition and Outlook).

At this point, there does not appear to be any advantage to be gained by performing an upgrade.

How did the engineers go with the details I provided last week?

Regards,
Michael

[administrator]

between 4.5.0 and 4.5.6?

I'm afraid you are mistaken: There are MANY MANY bug fixes (over 300 by my count).

[michaelb]

As I indicated in my previous post, I did not indate a quatity of fixes, only that I have looked at the bug list as per the release notes and there does NOT appear to be ANY bug fixes for the issue reported in this thread.

If there is please provide details of the references.

Also, I asked for an update on what the engineers found. This has still not been provided (nor has any details about what required forwarding of this issue to engineers in the first place).

[jholder]

In general, we encourage all of our users to maintain the latest build.
Also, keep in mind that we do not make all bugs public, for various reasons.

In order for myself, or any other member of the forums team to help you, we strongly encourage you to upgrade.

The two errors I asked about were:

Code:

2007-07-24 10:35:34,748 INFO  [ImapServer-656] [] ProtocolHandler - Exception occurred while handling connection

java.net.SocketException: Connection reset

        at java.net.SocketInputStream.read(SocketInputStream.java:168)

        at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)

        at java.io.BufferedInputStream.read(BufferedInputStream.java:235)

        at com.zimbra.cs.tcpserver.TcpServerInputStream.readLine(TcpServerInputStream.java:81)

        at com.zimbra.cs.imap.ImapRequest.continuation(ImapRequest.java:156)

        at com.zimbra.cs.imap.ImapHandler.processCommand(ImapHandler.java:226)

        at com.zimbra.cs.tcpserver.ProtocolHandler.processConnection(ProtocolHandler.java:231)

        at com.zimbra.cs.tcpserver.ProtocolHandler.run(ProtocolHandler.java:198)

        at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(Unknown Source)

        at java.lang.Thread.run(Thread.java:595)

2007-07-24 10:35:34,749 INFO  [ImapServer-656] [] imap - [144.135.112.170] exception while closing connection

java.net.SocketException: Broken pipe

        at java.net.SocketOutputStream.socketWrite0(Native Method)

        at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)

        at java.net.SocketOutputStream.write(SocketOutputStream.java:136)

        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)

        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)

        at com.zimbra.cs.imap.ImapHandler.sendLine(ImapHandler.java:2099)

        at com.zimbra.cs.imap.ImapHandler.sendResponse(ImapHandler.java:2089)

        at com.zimbra.cs.imap.ImapHandler.sendUntagged(ImapHandler.java:2078)

        at com.zimbra.cs.imap.ImapHandler.dropConnection(ImapHandler.java:2048)

        at com.zimbra.cs.imap.ImapHandler.dropConnection(ImapHandler.java:2034)

        at com.zimbra.cs.tcpserver.ProtocolHandler.run(ProtocolHandler.java:210)

        at EDU.oswego.cs.dl.util.concurrent.Pool

and 

com.zimbra.cs.account.AccountServiceException: invalid attr name: [LDAP: error code 17 - password: attribute type undefined]

        at com.zimbra.cs.account.AccountServiceException.INVALID_ATTR_NAME(AccountServiceException.java:115)

        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:297)

        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:276)

        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:256)

        at com.zimbra.cs.service.admin.ModifyAccount.handle(ModifyAccount.java:88)

        at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:270)

        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:168)

        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:90)

        at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:223)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)

        at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:162)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)

        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)

        at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:667)

        at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)

        at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)

        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)

        at java.lang.Thread.run(Thread.java:595)

Caused by: javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - password: attribute type undefined]; remaining name 'uid=craig.bonsor,ou=people,dc=pakenhamses,dc=com,dc=au'

        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3054)

        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)

        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)

        at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1437)

        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)

        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)

        at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)

        at com.zimbra.cs.account.ldap.LdapUtil.modifyAttributes(LdapUtil.java:1053)

        at com.zimbra.cs.account.ldap.LdapUtil.modifyAttrs(LdapUtil.java:595)

        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:294)

        ... 25 more

To wish I was asked to ask you to upgrade to see if that fixes your issue.

If you do not wish to upgrade, I understand, however, it's illogical to say:
It doesn't work, but I won't upgrade.

In an enterprise environment, I 100% understand not wanting to take your system down, but there is one particularly bad bug that can cause mail/accounts to be lost, see:
ZCS Critical Bug Alert

Ultimately, the choice to upgrade is your choice, and we will support you no matter what you choice. I just have to ask you to upgrade, as we don't know if that will fix your issue.

Sincerely,
john