Bug 1336663 - The "Lock Account" check-box for node account can not be disabled in cockpit
Summary: The "Lock Account" check-box for node account can not be disabled in cockpit
Status: CLOSED DUPLICATE of bug 853153
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: cockpit
Version: 7.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: pre-dev-freeze
: 7.3
Assignee: Stef Walter
QA Contact: qe-baseos-daemons
Depends On:
Blocks: ovirt-node-ng-platform
TreeView+ depends on / blocked
Reported: 2016-05-17 07:36 UTC by Wei Wang
Modified: 2016-06-24 07:36 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-06-24 07:36:22 UTC
Target Upstream Version:

Attachments (Terms of Use)
kickstart file (976 bytes, text/plain)
2016-05-17 07:36 UTC, Wei Wang
no flags Details
update ks file (1022 bytes, text/plain)
2016-05-17 08:29 UTC, Wei Wang
no flags Details
passwd before unlock (1.82 KB, text/plain)
2016-06-24 03:00 UTC, Wei Wang
no flags Details
shadow before unlock (956 bytes, text/plain)
2016-06-24 03:01 UTC, Wei Wang
no flags Details
passwd after unlock (1.82 KB, text/plain)
2016-06-24 03:01 UTC, Wei Wang
no flags Details
shadow after unlock (955 bytes, text/plain)
2016-06-24 03:02 UTC, Wei Wang
no flags Details

Description Wei Wang 2016-05-17 07:36:23 UTC
Created attachment 1158197 [details]
kickstart file

Description of problem:
The "Lock Account" check-box for node account can not be disabled in cockpit

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Automatic install machine with kickstart file in attachment
   key command
   user --name=node --password=redhat --plaintext
   user --name=weiwang --password=qweasd --plaintext
2. Login cockpit website with root account
3. Go to Account table, and select "node" account
4. Disable the check-box "Lock Account"
5. Check the status of step 4

Actual results:
The "Lock Account" check-box can not be disabled

Expected results:
The "Lock Account" check-box can be disabled from cockpit

Additional info:

Comment 1 Fabian Deutsch 2016-05-17 08:09:46 UTC
The kickstart does not contain the user --name=node directive.

Please retry with teh correct kickstart.
In addition please also provide a screenshot.

Comment 2 Wei Wang 2016-05-17 08:29:31 UTC
Created attachment 1158204 [details]
update ks file

Update kickstart file.

Comment 3 Wei Wang 2016-05-17 08:46:44 UTC
hi Fabian
The issue is a dynamic process, when you click the check-box to unlock, the tick disappeared, but after 1~2 seconds the tick is appeared automatically. The issue screenshot can not be caught easily.

Comment 4 Stef Walter 2016-05-18 05:55:13 UTC
Please describe the goal here. Why would one disable this check-box?

As it stands this seems like an enhancement rather than a bug.

Comment 5 Wei Wang 2016-05-18 07:34:11 UTC
With cockpit:
Firstly, if login with node, login failed, after install ngn host
Secondly, login with root, the "node" account is displayed. When entering node, the check-box status is operable. So it should be enabled/disabled by end-user.

so I think:
If node should not be unlocked by end-user, node account should be hidden for cockpit, or make the status for this check-box to disabled. 

I also have some confusing,node is automatically produced after install ngn host, what is the function of node in cockpit? What can we do using this account?

Comment 7 Stef Walter 2016-06-23 08:34:47 UTC
Cannot reproduce. Could you attach your /etc/shadow and /etc/passwd files before you try the unlock? And again after the unlock? 

We have a workaround for this in place, but in your case it doesn't seem to be taking effect. So I'd like to see the /etc/shadow and /etc/passwd files.

This is very likely a duplicate of: https://bugzilla.redhat.com/show_bug.cgi?id=853153

Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1142234
In addition: https://github.com/cockpit-project/cockpit/issues/1216

Stackoverflow issue: http://unix.stackexchange.com/questions/109314/two-ways-to-lock-a-password-but-only-one-to-unlock

Comment 8 Wei Wang 2016-06-24 02:59:36 UTC
Attach the /etc/shadow and /etc/passwd files before or after unlock in the attachment.

Comment 9 Wei Wang 2016-06-24 03:00:23 UTC
Created attachment 1171809 [details]
passwd before unlock

Comment 10 Wei Wang 2016-06-24 03:01:01 UTC
Created attachment 1171810 [details]
shadow before unlock

Comment 11 Wei Wang 2016-06-24 03:01:33 UTC
Created attachment 1171811 [details]
passwd after unlock

Comment 12 Wei Wang 2016-06-24 03:02:07 UTC
Created attachment 1171812 [details]
shadow after unlock

Comment 13 Stef Walter 2016-06-24 07:36:22 UTC
This is a system bug. The following command has the same behavior:

$ sudo usermod node --unlock 

The above command is what Cockpit uses to unlock the account. It results in removing one of the exclamation points from /etc/shadow. This is being fixed in Fedora and hopefully soon RHEL.

Marking a duplicate.

*** This bug has been marked as a duplicate of bug 853153 ***

Note You need to log in before you can comment on or make changes to this bug.