Account locked?

onyxnz · July 17, 2021, 7:30pm

I left my laptop running overnight, which is unusual for me. This morning I couldn’t run my yay as the sudo password was not accepted. So I logged in as root to check the journalctl -xe, and found multiple instances of the log reporting that my account had been locked. What I want to know is why. What program is trying to gain permissions that it cannot, tries multiple times, unsuccessfully, then locks the account? Can I tell from the journal? Snippet below.

Jul 18 03:32:40 onyx-laptop sudo[101878]: pam_systemd_home(sudo:auth): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Jul 18 03:34:49 onyx-laptop nmbd[889]: [2021/07/18 03:34:49.636514,  0] ../../source3/nmbd/nmbd_namequery.c:109(query_name_response)
Jul 18 03:34:49 onyx-laptop nmbd[889]:   query_name_response: Multiple (2) responses received for a query on subnet 10.0.2.36 for name WORKGROUP<1d>.
Jul 18 03:34:49 onyx-laptop nmbd[889]:   This response was from IP 10.0.2.10, reporting an IP address of 10.0.2.10.
Jul 18 03:37:43 onyx-laptop sudo[101975]: pam_unix(sudo:auth): conversation failed
Jul 18 03:37:43 onyx-laptop kernel: audit: type=2206 audit(1626536263.000:796): pid=101975 uid=1000 auid=1000 ses=5 msg='pam_faillock uid=1000  exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Jul 18 03:37:43 onyx-laptop kernel: audit: type=1100 audit(1626536263.000:797): pid=101975 uid=1000 auid=1000 ses=5 msg='op=PAM:authentication grantors=? acct="onyx" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
Jul 18 03:37:43 onyx-laptop audit[101975]: RESP_ACCT_UNLOCK_TIMED pid=101975 uid=1000 auid=1000 ses=5 msg='pam_faillock uid=1000  exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Jul 18 03:37:43 onyx-laptop audit[101975]: USER_AUTH pid=101975 uid=1000 auid=1000 ses=5 msg='op=PAM:authentication grantors=? acct="onyx" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
Jul 18 03:37:43 onyx-laptop sudo[101975]: pam_unix(sudo:auth): auth could not identify password for [onyx]
Jul 18 03:37:43 onyx-laptop dbus-daemon[613]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.564' (uid=0 pid=101975 comm="sudo -v ")
Jul 18 03:37:43 onyx-laptop dbus-daemon[613]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.home1.service': Unit dbus-org.freedesktop.home1.service not found.
Jul 18 03:37:43 onyx-laptop sudo[101975]: pam_systemd_home(sudo:auth): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Jul 18 03:39:57 onyx-laptop nmbd[889]: [2021/07/18 03:39:57.282242,  0] ../../source3/nmbd/nmbd_namequery.c:109(query_name_response)
Jul 18 03:39:57 onyx-laptop nmbd[889]:   query_name_response: Multiple (2) responses received for a query on subnet 10.0.2.36 for name WORKGROUP<1d>.
Jul 18 03:39:57 onyx-laptop nmbd[889]:   This response was from IP 10.0.2.10, reporting an IP address of 10.0.2.10.
Jul 18 03:42:44 onyx-laptop sudo[102097]: pam_unix(sudo:auth): conversation failed
Jul 18 03:42:44 onyx-laptop audit[102097]: USER_AUTH pid=102097 uid=1000 auid=1000 ses=5 msg='op=PAM:authentication grantors=? acct="onyx" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
Jul 18 03:42:44 onyx-laptop kernel: audit: type=1100 audit(1626536564.461:798): pid=102097 uid=1000 auid=1000 ses=5 msg='op=PAM:authentication grantors=? acct="onyx" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
Jul 18 03:42:44 onyx-laptop sudo[102097]: pam_unix(sudo:auth): auth could not identify password for [onyx]
Jul 18 03:42:44 onyx-laptop dbus-daemon[613]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.565' (uid=0 pid=102097 comm="sudo -v ")
Jul 18 03:42:44 onyx-laptop dbus-daemon[613]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.home1.service': Unit dbus-org.freedesktop.home1.service not found.
Jul 18 03:42:44 onyx-laptop sudo[102097]: pam_systemd_home(sudo:auth): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Jul 18 03:44:59 onyx-laptop nmbd[889]: [2021/07/18 03:44:59.531701,  0] ../../source3/nmbd/nmbd_namequery.c:109(query_name_response)
Jul 18 03:44:59 onyx-laptop nmbd[889]:   query_name_response: Multiple (2) responses received for a query on subnet 10.0.2.36 for name WORKGROUP<1d>.
Jul 18 03:44:59 onyx-laptop nmbd[889]:   This response was from IP 10.0.2.10, reporting an IP address of 10.0.2.10.
Jul 18 03:47:46 onyx-laptop sudo[102199]: pam_unix(sudo:auth): conversation failed
Jul 18 03:47:46 onyx-laptop audit[102199]: ANOM_LOGIN_FAILURES pid=102199 uid=1000 auid=1000 ses=5 msg='pam_faillock uid=1000  exe="/usr/bin/sudo" hostname=onyx-laptop addr=? terminal=pts/1 res=success'
Jul 18 03:47:46 onyx-laptop kernel: audit: type=2100 audit(1626536866.715:799): pid=102199 uid=1000 auid=1000 ses=5 msg='pam_faillock uid=1000  exe="/usr/bin/sudo" hostname=onyx-laptop addr=? terminal=pts/1 res=success'
Jul 18 03:47:46 onyx-laptop kernel: audit: type=2207 audit(1626536866.715:800): pid=102199 uid=1000 auid=1000 ses=5 msg='pam_faillock uid=1000  exe="/usr/bin/sudo" hostname=onyx-laptop addr=? terminal=pts/1 res=success'
Jul 18 03:47:46 onyx-laptop kernel: audit: type=1100 audit(1626536866.715:801): pid=102199 uid=1000 auid=1000 ses=5 msg='op=PAM:authentication grantors=? acct="onyx" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
Jul 18 03:47:46 onyx-laptop audit[102199]: RESP_ACCT_LOCK pid=102199 uid=1000 auid=1000 ses=5 msg='pam_faillock uid=1000  exe="/usr/bin/sudo" hostname=onyx-laptop addr=? terminal=pts/1 res=success'
Jul 18 03:47:46 onyx-laptop audit[102199]: USER_AUTH pid=102199 uid=1000 auid=1000 ses=5 msg='op=PAM:authentication grantors=? acct="onyx" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
Jul 18 03:47:46 onyx-laptop sudo[102199]: pam_unix(sudo:auth): auth could not identify password for [onyx]
Jul 18 03:47:46 onyx-laptop dbus-daemon[613]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.566' (uid=0 pid=102199 comm="sudo -v ")
Jul 18 03:47:46 onyx-laptop dbus-daemon[613]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.home1.service': Unit dbus-org.freedesktop.home1.service not found.
Jul 18 03:47:46 onyx-laptop sudo[102199]: pam_systemd_home(sudo:auth): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Jul 18 03:47:46 onyx-laptop sudo[102199]: pam_faillock(sudo:auth): Consecutive login failures for user onyx account temporarily locked

keybreak · July 17, 2021, 7:33pm

It’s a h4xXx0r!!!

BONK · July 18, 2021, 2:59am

I blame the

manuel · July 18, 2021, 8:02am

Looks like it has something to do with systemd-homed service. What is the status of it?
Or maybe samba is trying to keep up the connection unsuccessfully?

onyxnz · July 18, 2021, 9:30am

The systemd-homed.service was not found, so I enabled that; will see what happens…

I’ll also check the Samba then too.
Multiple (2) responses received for a query on subnet 10.0.2.36 for name WORKGROUP<1d>. <<–Weird, as it is only this machine that has that address ( I don’t use DHCP!) So now I have assigned another address, and will see what happens overnight.
Cheers!

manuel · July 18, 2021, 5:20pm

You do have a firewall / router with NAT, right?

onyxnz · July 18, 2021, 8:34pm

Yes, IPFire.

So the results this morning :
Not geting the account lockout now
Still getting the “Multiple (2) responses received for a query on subnet 10.0.2.35 for name WORKGROUP<1d>.”
So yes, HOMED was the issue. Current logs from it:

Jul 19 08:04:55 onyx-laptop audit[191745]: USER_AUTH pid=191745 uid=1000 auid=1000 ses=5 msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="onyx" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/4 res=>
Jul 19 08:04:55 onyx-laptop sudo[191745]: pam_systemd_home(sudo:account): Not a user managed by systemd-homed: No home for user onyx known

Which show that systemd is using homed with sudo against my user name, to try to do something, and failing because it doesn’t know where I live (even though /home/onyx exists.) But that is irrelevant ; I don’t need homed, I just need to avoid account lockout. So chalk this one up to systemd weirdness?

Thanks for the helping pair of eyes, @manuel!

system · July 20, 2021, 8:34pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.