This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Beware of v15.2 - Password Expiry Bug

chrisrow over 3 years ago

Just a heads up for the bold updaters our there We just performed an upgrade from 15.1.7u5 to 15.2.0 and had to revert back to the old version with the hour... Had dozen of customers calling, because they could no longer sign in, because apparently their password was expired and they were forced to set a new one. We could also verify that behavior with accounts of our own. This of course despite the fact that the password expire option was and is disabled on all levels. (user, domain, global) We did not have time to perform extensive tests, but the problem seems to only happen for web bases logons. (would make sense, as FTP/SCP does not know any method to force a password change)

0 calc2014 over 3 years ago

Thanks for posting this chrisrow
I have just made a detailed post to Solarwinds because apparently this is intentional! Here is my post about why it is entirely unworkable..
https://thwack.solarwinds.com/t5/Serv-U-FTP-Server-MFT-Server/Serv-U-15-2-Forced-Password-change-for-ALL-accounts-entirely/td-p/595394
Please share your thoughts too as this has to be reversed.
Cancel
Vote Up 0 Vote Down

Cancel
0 calc2014 over 3 years ago

chrisrowWould also be interested to know if FTP/SFTP accounts could still successfully log in using their current password or were they just disconnected/denied access? Would be a nightmare for automated processed for example.
You raised an important point - what happens if they have to change their password but the setting for ability to change password is not enabled on their account?
Appreciate your input!
Cancel
Vote Up 0 Vote Down

Cancel
0 chrisrow over 3 years ago in reply to calc2014

Sorry, did not have time to investigate to much, as in our case it's a production system with thousands of user accounts across many different domains. (managed by the customers themselves) For the time we were running with v15.2 (~1 hour) I remember seeing quite a bunch of logged in users doing some file uploads/download. So I just assumed that FTP/SCP still works, as I can not imagine that all these customers/users already re-set their password. I did also not check or play around with the option of allowing/disallowing a password reset. But I assume they cannot do that, if they don't have this permission - even in this current case.
Cancel
Vote Up 0 Vote Down

Cancel
0 ivodlouhy over 3 years ago in reply to calc2014

Thank you for these comments. As described in different thread we are aware about the problem and working on resolution with aim to publish it soon. Solution has been identified and it is being implemented and verified now.
This Serv-U version 15.2 shouldn't be applied for installations with automated users or generally users who don't have access to Serv-U web ftp client as they are prompted to change password and it is not possible without login via web ftp client so their access will not work. In case Serv-U 15.2 is applied for this type of implementation current workaround is to revert version 15.2. We will inform about new version without this limitation soon.
Cancel
Vote Up 0 Vote Down

Cancel
0 calc2014 over 3 years ago in reply to ivodlouhy

ivodlouhyThanks for the update, it is very very important that this is a seamless transition to the new password encryption method, as descbied in my post here..
https://thwack.solarwinds.com/t5/Serv-U-FTP-Server-MFT-Server/Serv-U-15-2-Forced-Password-change-for-ALL-accounts-entirely/m-p/595394/
For it to work for your customers it must migrate the password to the new method without requiring intervention from the user or admin - as many of us have literally thousands of accounts and it would be impossible to manage this process for both user or automated accounts.
We look forward to the update.
Cancel
Vote Up 0 Vote Down

Cancel
0 calc2014 over 3 years ago

For anyone following, this was resolved in 15.2.1, thanks to ivodlouhy
Released here: https://thwack.solarwinds.com/t5/Serv-U-FTP-Server-MFT-Server/Serv-U-FTP-Server-and-Serv-U-MFT-Server-version-15-2-1-are-now/m-p/596282
Cancel
Vote Up 0 Vote Down

Cancel
0 calc2014 over 3 years ago

I think there may be a bug in the patch for this (15.2.1.446) that has started as of 26th September to disable accounts that use Public Key authentication as the password encryption method is not being updated by Serv-U. Even though the accounts do not use a password, Serv-U is disabling the account and groups it is associated with, every time the user tries to connect.
More details on this new thread:
https://thwack.solarwinds.com/t5/Serv-U-FTP-Server-MFT-Server/Users-and-Groups-Randomly-Disabled-Bug-related-to-password/m-p/605612#M1728
Please help ivodlouhy
chrisrowAre you having the same issue?
Cancel
Vote Up 0 Vote Down

Cancel