forum.opsi.org

opsi support forum
https://forum.opsi.org/

OPSI Login Blocker Never Unblocks

https://forum.opsi.org/viewtopic.php?t=14724

Seite 1 von 1

OPSI Login Blocker Never Unblocks

Verfasst: 12 Aug 2025, 13:18
von mart660d
opsiclientd v4.2.0.159
opsi_loginblocker v4.2.0.5

Hello!

We've encountered a strange issue in our environment, where on some clients (we haven't been able to find a common thread yet) opsi_loginblocker never unblocks login, leading to these clients becoming unusable.

It is possible to execute actions through opsi-client-agent on the clients, meaning opsiclientd is running, and re-installing opsi-client-agent with the loginblockerstart property set to off does fix the issue, so the overarching blame seems to lie with opsi_loginblocker.

What we haven't been able to figure out is what's causing opsi_loginblocker to never unblock.
It doesn't adhere to the 120 second timeout set in the registry database on the clients, so I'm guessing that opsi_loginblocker is not properly receiving the request from opsiclientd to unblock login.

What could be causing this issue? Any input on this would be greatly appreciated, as well as requests for any logs that could be useful in identifying the problem!

Re: OPSI Login Blocker Never Unblocks

Verfasst: 12 Aug 2025, 15:09
von j.schneider
Hello,

you can check the logfile c:\opsi.org\log\opsi_loginblocker.log to see if it contains any clues about the cause.
Please note that opsi 4.2 has reached End-of-Life, so I strongly recommend upgrading the environment to opsi 4.3.

Best regards,
Jan Schneider

Re: OPSI Login Blocker Never Unblocks

Verfasst: 13 Aug 2025, 11:33
von mart660d
j.schneider hat geschrieben: 12 Aug 2025, 15:09 Hello,

you can check the logfile c:\opsi.org\log\opsi_loginblocker.log to see if it contains any clues about the cause.
Please note that opsi 4.2 has reached End-of-Life, so I strongly recommend upgrading the environment to opsi 4.3.

Best regards,
Jan Schneider
Thanks for the reply Jan

It was our intention to upgrade our OPSI environment to 4.3 during the summer vacation weeks, but non-compliant clients put a stop to that, and were why we unearthed this problem in the first place. It is our intention to go forward with the upgrade as soon as all prerequisites have been taken care of :)

First off, here is an example of how a normal execution of opsi login blocker looks:

Code: Alles auswählen

[1] [2025-08-13 10:15:14.736] [] --------------------------------------------------------------------------------------------------------------
[1] [2025-08-13 10:15:14.737] [] opsi login blocker version 4.2.0.5 initializing on Windows 10 (or above) (credential provider filter)
[1] [2025-08-13 10:15:14.737] [] --------------------------------------------------------------------------------------------------------------
[5] [2025-08-13 10:15:14.737] [] Getting config from registry
[5] [2025-08-13 10:15:14.737] [] log level is: 5
[3] [2025-08-13 10:15:14.738] [] Failed to query registry key 80000002, subKey SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{d2028e19-82fe-44c6-ad64-51497c97a02a}, valueName LoginBlockerLogDir: 234
[3] [2025-08-13 10:15:14.738] [] Failed to get LoginBlockerLogDir value from registry, using default
[5] [2025-08-13 10:15:14.738] [] OpsiCredentialProviderFilter is enabled
[5] [2025-08-13 10:15:14.738] [] OpsiCredentialProvider is enabled
[5] [2025-08-13 10:15:14.738] [] LoginBlockerTimeoutConnect is 120 seconds
[1] [2025-08-13 10:15:14.739] [] opsi login blocker version 4.2.0.5 initialized on Windows 10 (or above)
[5] [2025-08-13 10:15:14.739] [] opsi com started
[5] [2025-08-13 10:15:14.739] [] Waiting for opsiclientd service to start
[5] [2025-08-13 10:15:14.740] [] Service opsiclientd is running (SERVICE_RUNNING)
[5] [2025-08-13 10:15:14.740] [] Connected to opsiclientd pipe
[5] [2025-08-13 10:15:14.740] [] Sending request: '{"id": 1, "method": "registerClient", "params": ["opsi-login-blocker","4.2.0.5"]}'
[5] [2025-08-13 10:15:14.743] [] Opsi credential provider filter init
[5] [2025-08-13 10:15:15.258] [] Received response: '{"id":1,"result":"client opsi-login-blocker/4.2.0.5/#1 registered","error":null}'
[5] [2025-08-13 10:15:15.765] [] Received request: '{"id":1,"method":"blockLogin","params":[false]}'
[5] [2025-08-13 10:15:15.765] [] Sending response: '{"id": 1, "result": "not blocking login", "error": null}'
[5] [2025-08-13 10:15:16.752] [] Filtering providers blockLogin=false, loginTriggered=false, rebootTriggered=false, shutdownTriggered=false
[5] [2025-08-13 10:15:16.776] [] Opsi credential provider init
[5] [2025-08-13 10:15:16.781] [] Hiding our tile (setting pdwCount to 0)
Looking at opsi_loginblocker.log from a client afflicted by the issue, I'm seeing instances of two different behaviours.

The first one seems to happen more often than the other. After confirmation that the opsiclientd service is running, the log is spammed 9 times with a line containing the message: Could not open opsiclientd pipe \\.\pipe\opsiclientd: 2

Code: Alles auswählen

[1] [2025-08-13 10:21:17.318] [] --------------------------------------------------------------------------------------------------------------
[1] [2025-08-13 10:21:17.321] [] opsi login blocker version 4.2.0.5 initializing on Windows 10 (or above) (credential provider filter)
[1] [2025-08-13 10:21:17.321] [] --------------------------------------------------------------------------------------------------------------
[5] [2025-08-13 10:21:17.321] [] Getting config from registry
[5] [2025-08-13 10:21:17.321] [] log level is: 5
[3] [2025-08-13 10:21:17.321] [] Failed to query registry key 80000002, subKey SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{d2028e19-82fe-44c6-ad64-51497c97a02a}, valueName LoginBlockerLogDir: 234
[3] [2025-08-13 10:21:17.321] [] Failed to get LoginBlockerLogDir value from registry, using default
[5] [2025-08-13 10:21:17.321] [] OpsiCredentialProviderFilter is enabled
[5] [2025-08-13 10:21:17.322] [] OpsiCredentialProvider is enabled
[5] [2025-08-13 10:21:17.322] [] LoginBlockerTimeoutConnect is 120 seconds
[1] [2025-08-13 10:21:17.322] [] opsi login blocker version 4.2.0.5 initialized on Windows 10 (or above)
[5] [2025-08-13 10:21:17.323] [] opsi com started
[5] [2025-08-13 10:21:17.323] [] Waiting for opsiclientd service to start
[5] [2025-08-13 10:21:17.323] [] Service opsiclientd is starting (SERVICE_START_PENDING)
[5] [2025-08-13 10:21:17.346] [] Opsi credential provider filter init
[5] [2025-08-13 10:21:20.327] [] Service opsiclientd is running (SERVICE_RUNNING)
[4] [2025-08-13 10:21:20.327] [] Could not open opsiclientd pipe \\.\pipe\opsiclientd: 2
[4] [2025-08-13 10:21:21.342] [] Could not open opsiclientd pipe \\.\pipe\opsiclientd: 2
[4] [2025-08-13 10:21:22.352] [] Could not open opsiclientd pipe \\.\pipe\opsiclientd: 2
[4] [2025-08-13 10:21:23.358] [] Could not open opsiclientd pipe \\.\pipe\opsiclientd: 2
[4] [2025-08-13 10:21:24.362] [] Could not open opsiclientd pipe \\.\pipe\opsiclientd: 2
[4] [2025-08-13 10:21:25.366] [] Could not open opsiclientd pipe \\.\pipe\opsiclientd: 2
[4] [2025-08-13 10:21:26.372] [] Could not open opsiclientd pipe \\.\pipe\opsiclientd: 2
[4] [2025-08-13 10:21:27.386] [] Could not open opsiclientd pipe \\.\pipe\opsiclientd: 2
[4] [2025-08-13 10:21:28.392] [] Could not open opsiclientd pipe \\.\pipe\opsiclientd: 2
[5] [2025-08-13 10:21:29.394] [] Connected to opsiclientd pipe
[5] [2025-08-13 10:21:29.395] [] Sending request: '{"id": 1, "method": "registerClient", "params": ["opsi-login-blocker","4.2.0.5"]}'
[5] [2025-08-13 10:21:29.916] [] Received response: '{"id":1,"result":"client opsi-login-blocker/4.2.0.5/#1 registered","error":null}'
[5] [2025-08-13 10:21:30.436] [] Received request: '{"id":1,"method":"blockLogin","params":[true]}'
[5] [2025-08-13 10:21:30.436] [] Sending response: '{"id": 1, "result": "blocking login", "error": null}'
In the other instances of opsi login blocker not unblocking properly, we're seeing the message Failed to open Service Control Manager (error=5) spammed right after the log line stating that opsi login blocker is waiting for the opsiclientd service to start.

Code: Alles auswählen

[1] [2025-08-13 10:19:27.168] [] --------------------------------------------------------------------------------------------------------------
[1] [2025-08-13 10:19:27.169] [] opsi login blocker version 4.2.0.5 initializing on Windows 10 (or above) (credential provider filter)
[1] [2025-08-13 10:19:27.169] [] --------------------------------------------------------------------------------------------------------------
[5] [2025-08-13 10:19:27.169] [] Getting config from registry
[5] [2025-08-13 10:19:27.169] [] log level is: 5
[3] [2025-08-13 10:19:27.169] [] Failed to query registry key 80000002, subKey SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{d2028e19-82fe-44c6-ad64-51497c97a02a}, valueName LoginBlockerLogDir: 234
[3] [2025-08-13 10:19:27.169] [] Failed to get LoginBlockerLogDir value from registry, using default
[5] [2025-08-13 10:19:27.170] [] OpsiCredentialProviderFilter is enabled
[5] [2025-08-13 10:19:27.170] [] OpsiCredentialProvider is enabled
[5] [2025-08-13 10:19:27.170] [] LoginBlockerTimeoutConnect is 120 seconds
[1] [2025-08-13 10:19:27.170] [] opsi login blocker version 4.2.0.5 initialized on Windows 10 (or above)
[5] [2025-08-13 10:19:27.170] [] opsi com started
[5] [2025-08-13 10:19:27.171] [] Waiting for opsiclientd service to start
[3] [2025-08-13 10:19:27.171] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:19:30.177] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:19:33.186] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:19:36.187] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:19:39.198] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:19:42.200] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:19:45.209] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:19:48.219] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:19:51.228] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:19:54.236] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:19:57.247] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:20:00.254] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:20:03.266] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:20:06.273] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:20:09.278] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:20:12.283] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:20:15.286] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:20:18.297] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:20:21.300] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:20:24.302] [] Failed to open Service Control Manager (error=5)
[3] [2025-08-13 10:20:27.311] [] Failed to open Service Control Manager (error=5)
Where do these errors stem from? The clients exhibiting these issues are configured the exact same way as the clients without the issues, so it's difficult to pin-point an exact cause with the limited knowledge of OPSI that we have at the department.

Re: OPSI Login Blocker Never Unblocks

Verfasst: 13 Aug 2025, 14:23
von j.schneider
The error "Could not open opsiclientd pipe \\.\pipe\opsiclientd: 2" means that the opsiclientd service has not yet created the named pipe. This is a normal occurrence and not a cause for concern.

The error "Failed to open Service Control Manager (error=5)" means that the opsi-loginblocker does not have permission to connect to the Service Control Manager. This is unusual because opsi-loginblocker is implemented as a Credential Provider (Filter), which is a DLL loaded by LogonUI.exe. LogonUI.exe runs with system privileges. I have not encountered this issue before. It suggests a damaged Windows configuration or interference from security software.

Re: OPSI Login Blocker Never Unblocks

Verfasst: 18 Aug 2025, 12:41
von mart660d
j.schneider hat geschrieben: 13 Aug 2025, 14:23 The error "Could not open opsiclientd pipe \\.\pipe\opsiclientd: 2" means that the opsiclientd service has not yet created the named pipe. This is a normal occurrence and not a cause for concern.

The error "Failed to open Service Control Manager (error=5)" means that the opsi-loginblocker does not have permission to connect to the Service Control Manager. This is unusual because opsi-loginblocker is implemented as a Credential Provider (Filter), which is a DLL loaded by LogonUI.exe. LogonUI.exe runs with system privileges. I have not encountered this issue before. It suggests a damaged Windows configuration or interference from security software.
Apologies for the late response.

We have decided internally that, due to limited ressources at the moment, opsi-client-agent will be re-installed on all of our clients with the loginblockerstart property set to false. This will buy us time until a scheduled paid support session.

Thank you for taking your time to reply to my post Jan. I'll see if I can remember to add a post-mortem once we emerge from the 4.3 upgrade if a solution to the issue is found in the process!
Alle Zeiten sind UTC+02:00
Seite 1 von 1

Powered by phpBB® Forum Software © phpBB Limited

Deutsche Übersetzung durch phpBB.de