"Your account has been blocked." via git pull/clone using SSH on 12.9.1 floss self-managed

Any ideas now where to look other then me do a code trace to see what’s triggering this? So very strange.

Hi @ghenry,

I’d check /var/log/gitlab/gitlab-rails/production.log and /var/log/gitlab/gitlab-rails/api_json.log for any errors or messages around this user getting blocked.

zgrep is helpful for searching rotated/compressed logs example:

zgrep "username" /var/log/gitlab/gitlab-rails/production*.gz | grep "block"

To manually unblock the user, you can use the Rails console if the API isn’t an option: https://docs.gitlab.com/ee/security/unlock_user.html

1 Like

No difference:

xx@xxx:~$ sudo gitlab-rails console -e production
--------------------------------------------------------------------------------
 GitLab:       12.9.1 (63745c932cc) FOSS
 GitLab Shell: 12.0.0
 PostgreSQL:   9.6.17
--------------------------------------------------------------------------------
Loading production environment (Rails 6.0.2)
irb(main):001:0> user = User.where(id: 33).first
=> #<User id:33 @xxxxxx>
 
irb(main):002:0> user.unlock_access!
=> true

then tried a git pull again:

remote: 
remote: ========================================================================
remote: 
remote: Your account has been blocked.
remote: 
remote: ========================================================================
remote: 
fatal: Could not read from remote repository.

I appologize, you’d need to unblock the user and I sent you docs on how to unlock the user. Can you try the following?

sudo gitlab-rails console -e production
user = User.where(id: 33).first
user.state = "active"
user.save

If that doesn’t work, try this in the ruby console to see if its something specific to LDAP:

user.ldap_user?
user.ldap_blocked?
user.ldap_identity

Let us know how it goes either way!

2 Likes

No joy:

Loading production environment (Rails 6.0.2)
irb(main):001:0> user = User.where(id: 33).first
=> #<User id:33 @xxxxxx>
irb(main):002:0> user.state = "active"
=> "active"
irb(main):003:0> user.save
=> true
irb(main):004:0> user.ldap_user?
=> false
irb(main):005:0> user.ldap_blocked?
=> false
irb(main):006:0> user.ldap_identity
=> nil
irb(main):007:0> 

I still get:

git pull
remote: 
remote: ========================================================================
remote: 
remote: Your account has been blocked.
remote: 
remote: ========================================================================
remote: 
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Hi,

please share the remote origin for the repository where you run git pull. The most convenient way would be

grep url .git/config

Also, side question - does it work with clone/push over https?

Cheers,
Michael

1 Like

Hi,

sure. As it’s always been for 3 years:

[remote "origin"]
	url = ssh://git@git.xxxx.net/xxxxx/xxx-xxx.git
	fetch = +refs/heads/*:refs/remotes/origin/*

These users that are used in our ansible projects are created like this via a customer lib (and have always worked, but only use ssh):

#!/usr/bin/python
# Only works with the root user currently
import string
import random
from socket import getfqdn
from gitlab import Gitlab
from gitlab import DEVELOPER_ACCESS
from gitlab.exceptions import GitlabCreateError

def get_user_id():
  for user in gl.users.list(search=getfqdn()):
    if getfqdn().split('.')[0] == user.username:
      return user.id
  if not found:
    module.fail_json(msg='User cannot be found' + user_id)

def deploy_key():
  user_id = get_user_id()
  try:
    with open(module.params['deploy_key'], 'rb') as keyfile:
      keycontents = keyfile.read()
      for key in gl.users.get(user_id).keys.list():
        if key.key.rstrip() == keycontents.rstrip():
          module.exit_json(changed=False, msg='Key exists')
      gl.users.get(user_id).keys.create({
          'title': getfqdn() + ' root key',
          'key': keycontents
          },
          user_id=user_id)
      module.exit_json(changed=True, msg='Key added')
  except EnvironmentError:
    module.fail_json(msg='Could not open key file')
  except GitlabCreateError as e:
    if 'has already been taken' in e.response_body:
      module.exit_json(changed=False, msg='Key Exists')
    else:
      raise e

def create_user():
  if len(gl.users.list(search=getfqdn() + ' root')) == 0:
    user = gl.users.create({
        'email': 'root@' + getfqdn(),
        'password': ''.join(random.choice(string.ascii_uppercase) for i in range(60)),
        'username': getfqdn().split('.')[0],
        'name':  getfqdn() + ' root'
        })
    user.save()
    module.exit_json(changed=True, msg='User successfully created')
  else:
    module.exit_json(changed=False, msg='User already exists')

def add_to_project():
  user_id = get_user_id()
  # check project exists
  try:
    project = gl.projects.get(module.params['project'])
  except:
    module.fail_json(msg='Could not find project')
  # check if already a member of the project
  for user in project.members.list():
    if user.id == user_id:
      module.exit_json(changed=False, msg='already member of the project')
  # add to project
  if project.members.create({ 'user_id': user_id, 'access_level': DEVELOPER_ACCESS }, project_id=project.id):
    module.exit_json(changed=True, msg='Successfully added to the project')
  else:
    module.fail_json(msg='Unable to add to project')

def main():
  global module, gl
  module = AnsibleModule(
    argument_spec = dict(
      operation = dict(required=True, choices=['deploy_key', 'create_user', 'add_to_project']), # Operation
      project = dict(required=False), # Project name, only relevant if add_to_project is selected
      deploy_key = dict(required=False, default='/root/.ssh/id_rsa.pub'), # path to deploy key, example /root/.ssh/id_rsa.pub, only relevant if 'deploy_user' is selected
      token = dict(required=True), # API Key
      host = dict(required=True), # GitLab hostname
      verify_ssl = dict(required=False, default=False, choices=[True, False]),
    )
  )

  gl = Gitlab(module.params['host'], module.params['token'], api_version=4)
  
  if module.params['operation'] == 'deploy_key':
    deploy_key()
  elif module.params['operation'] == 'create_user':
    create_user()
  elif module.params['operation'] == 'add_to_project':
    add_to_project()

from ansible.module_utils.basic import *
main()

So nothing to do with LDAP and this user has worked for for the past few users. It is every user created this way that has recently broken and gets this “Your account has been blocked” message. No expired keys as if you see further up as ssh is authing correctly. I note a password is created, so I could test via HTTPS.

Thanks,
Gavin.

Any ideas anyone. At a real loss where to look next.

So I just deleted this user and re-ran our ansibile playbook that checks the user exists and if it doesn’t, re-creates it. I can see the user was created today in the Users section, but I still get the “Your account is blcoked” error.

Just deleted the user again, re-created it with our usual ansible playbook, issue remains. Log in as admin user and click “Confirm email” manually and all working now. Weird.

A bug I’d say.

Same on 12.9.2. Have to confirm user after creating via the API. Not very automated. Should I report it?

Hi,

sorry for the late response, had been busy with onboarding tasks. It looks like as if this could be a bug, please continue with creating an issue and summarize your findings from here :slight_smile:

Thanks,
Michael

1 Like

Hi @ghenry

I agree with your assessment, this sounds like a bug.

To raise awareness of this and help us find a solution, can you please create new issue.
I suggest using the “Bug” issue template, adding as many relevant details as possible.

image

When you create an issue, please link it here and I’ll add appropriate labels to help triage and raise attention. Thanks!

2 Likes

https://gitlab.com/gitlab-org/gitlab/-/issues/213582 Done.

Great, thanks!

Just thought of something else that might be coming into play:

Can you check <external_url>/admin/application_settings/general > expand Sign-up Restrictions, and verify if the checkbox for Send confirmation email on sign-up is checked or unchecked?

1 Like

Yep, it is.

Ah-hah! That explains it!

Having that setting enabled will send a confirmation email, and for that user to be “unlocked”, it requires the confirmation link in the confirmation email is clicked. If you’re creating a user with Ansible and the confirmation email isn’t received and the link it contains clicked, it would cause the “user is blocked” error you’re seeing.

If you did not check the box for this requirement, I suspect the default setting might’ve changed in 12.9.x. Do you notice if this checkbox was checked before upgrading?

Unchecking the box, or manually “confirming” the email of your Ansible-created user in the GitLab Admin UI should remove the block on this user.

1 Like

Nope. After your reply, I unchecked it and saved it. Deleted the user, ran the ansible playbook again and same message and going into Users still shows Confirm User.

Confirming the user and git pull etc. works as normal.