Skip to content

CommandExecutionError in lgpo.set due to bad zero value for LockoutDuration #56406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lorengordon opened this issue Mar 18, 2020 · 1 comment · Fixed by #56408
Closed

CommandExecutionError in lgpo.set due to bad zero value for LockoutDuration #56406

lorengordon opened this issue Mar 18, 2020 · 1 comment · Fixed by #56408
Labels
Bug broken, incorrect, or confusing behavior fixed-pls-verify fix is linked, bug author to confirm fix P3 Priority 3 severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around ZRelease-Sodium retired label
Milestone
Approved

Comments

@lorengordon
Copy link

lorengordon commented Mar 18, 2020
edited
Loading

Steps to Reproduce Issue

On a Windows Server 2012R2 system, install salt and run the command below. Note that this issue only reproduces when LockoutThreshold is non-zero, seemingly due to some internal Windows API constraints.

C:\salt\salt-call.bat --local lgpo.set "{'LockoutThreshold': 3, 'LockoutDuration': 0, 'LockoutWindow': 60}" -l debug
# <...elided...>
[DEBUG   ] LGPO: Loading policy resources
[DEBUG   ] LazyLoaded file.file_exists
[DEBUG   ] validating 3 for policy {u'Policy': u'Account lockout threshold', u'NetUserModal': {u'Option': u'lockout_threshold', u'Modal': 3}, u'lgpo_section': [u'Computer Configuration', u'Windows Settings', u'Security Settings', u'Account Policies', u'Account Lockout Policy'], u'Settings': {u'Function': u'_in_range_inclusive', u'Args': {u'max': 1000, u'min': 0}}}
[DEBUG   ] LockoutThreshold is a NetUserModal policy
[DEBUG   ] validating 0 for policy {u'Policy': u'Account lockout duration', u'NetUserModal': {u'Option': u'lockout_duration', u'Modal': 3}, u'lgpo_section': [u'Computer Configuration', u'Windows Settings', u'Security Settings', u'Account Policies', u'Account Lockout Policy'], u'Transform': {u'Put': u'_minutes_to_seconds', u'Get': u'_seconds_to_minutes'}, u'Settings': {u'Function': u'_in_range_inclusive', u'Args': {u'max': 6000000, u'min': 0}}}
[DEBUG   ] LockoutDuration is a NetUserModal policy
[DEBUG   ] validating 3600 for policy {u'Policy': u'Reset account lockout counter after', u'NetUserModal': {u'Option': u'lockout_observation_window', u'Modal': 3}, u'lgpo_section': [u'Computer Configuration', u'Windows Settings', u'Security Settings', u'Account Policies', u'Account Lockout Policy'], u'Transform': {u'Put': u'_minutes_to_seconds', u'Get': u'_seconds_to_minutes'}, u'Settings': {u'Function': u'_in_range_inclusive', u'Args': {u'max': 6000000, u'min': 0}}}
[DEBUG   ] LockoutWindow is a NetUserModal policy
[DEBUG   ] {3: {u'lockout_observation_window': 3600, u'lockout_duration': 0, u'lockout_threshold': 3}}
[DEBUG   ] NEW MODAL SET = {'lockout_observation_window': 3600, 'lockout_duration': 0, 'lockout_threshold': 3}
[ERROR   ] An unhandled exception occurred while attempting to set policy via NetUserModalSet
Traceback (most recent call last):
  File "C:\salt\bin\lib\site-packages\salt\modules\win_lgpo.py", line 8183, in set_
    _ret = win32net.NetUserModalsSet(None, _modal_set, _newModalSetData)
error: (87, 'NetUserModalsSet', 'The parameter is incorrect.')
Traceback (most recent call last):
  File "C:\salt\bin\lib\site-packages\salt\cli\caller.py", line 212, in call
    ret['return'] = func(*args, **kwargs)
  File "C:\salt\bin\lib\site-packages\salt\modules\win_lgpo.py", line 8188, in set_
    raise CommandExecutionError(msg)
CommandExecutionError: An unhandled exception occurred while attempting to set policy via NetUserModalSet
Error running 'lgpo.set': An unhandled exception occurred while attempting to set policy via NetUserModalSet

Explanation

This errors because LockoutDuration does not actually use 0 as the zero value, but the lgpo module does not know that (yet). See the line in the output:

[DEBUG   ] NEW MODAL SET = {'lockout_observation_window': 3600, 'lockout_duration': 0, 'lockout_threshold': 3}

Similar to the transform for MaxPasswordAge, the zero value for LockoutDuration needs to be 0xffffffff. Then it magically works.

Versions Report

PS C:\Users\Administrator> C:\salt\salt-call.bat --versions-report
Salt Version:
           Salt: 2018.3.4

Dependency Versions:
           cffi: 1.10.0
       cherrypy: 10.2.1
       dateutil: 2.6.1
      docker-py: Not Installed
          gitdb: 2.0.5
      gitpython: 2.1.3
          ioflo: Not Installed
         Jinja2: 2.9.6
        libgit2: Not Installed
        libnacl: 1.6.1
       M2Crypto: Not Installed
           Mako: 1.0.6
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: 2.17
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.14 (v2.7.14:84471935ed, Sep 16 2017, 20:25:58) [MSC v.1500 64 bit (AMD64)]
   python-gnupg: 0.4.1
         PyYAML: 3.12
          PyZMQ: 16.0.3
           RAET: Not Installed
          smmap: 2.0.5
        timelib: 0.2.4
        Tornado: 4.5.1
            ZMQ: 4.1.6

System Versions:
           dist:
         locale: cp1252
        machine: AMD64
        release: 2012ServerR2
         system: Windows
        version: 2012ServerR2 6.3.9600  Multiprocessor Free
@lorengordon lorengordon mentioned this issue Mar 18, 2020
Merged
@frogunder
Copy link
Contributor

@lorengordon Thank you for reporting this issue and for the PR.

Thanks.

@frogunder frogunder added this to the Approved milestone Mar 18, 2020
@frogunder frogunder added Bug broken, incorrect, or confusing behavior fixed-pls-verify fix is linked, bug author to confirm fix severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around P3 Priority 3 labels Mar 18, 2020
@sagetherage sagetherage added the ZRelease-Sodium retired label label Mar 20, 2020
lorengordon added a commit to lorengordon/salt that referenced this issue Apr 15, 2020
@lorengordon
Uses correct zero value for lgpo LockoutDuration
4e18d97 
Fixes saltstack#56406
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug broken, incorrect, or confusing behavior fixed-pls-verify fix is linked, bug author to confirm fix P3 Priority 3 severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around ZRelease-Sodium retired label
Projects
None yet
Milestone
Approved
Development

Successfully merging a pull request may close this issue.

Uses correct zero value for lgpo LockoutDuration lorengordon/salt
3 participants
@frogunder @lorengordon @sagetherage