Univention Bugzilla – Bug 35011
Password change in a s4 environment requires a second login on the ucc client
Last modified: 2023-06-28 10:33:09 CEST
UCS Master with samba4 and UCC 2.0 and an UCC client. Created a user with "Change password on next login". Login on the UCC client works, password change is triggered and successful but than i get "You are required to change your LDAP password" and have to login a second time. Maybe the problem is that the password change is done via kerberos (thus samba in a s4 environment) and the pam account check vi pam_ldap. The samba password change triggers the connector which does the password change in openldap. But this takes some time and maybe too long for a proper login on UCC.
Reuested at 2014092221000243
> Maybe the problem is that the password change is done via kerberos > (thus samba in a s4 environment) and the pam account check vi pam_ldap. Yes, I had a similar same effect when fixing change of expired passwords during UMC logon. I had to avoid the pam_acct_mgmt call directy after the change, otherwise the authentication would fail directly after the change.
happened eventually again at: Ticket#2015040721000485 (message 57) Regarding password-change: Could be reproduced on 2 clients. It seems that UCC authenticates alternating between LDAP and AD or that the sychronisation between LDAP and AD is slower then the password entry action of a user at on the UCC Client. Workaround: the UCC Client has to be restarted between the steps of the password-change, then all seems to work.
UCCs pam config has a fallback to LDAP auth in case kerberos is not available. Maybe the kerberos pam module behaves differently in terms of return values after changing the password. We should also check if the local password cache is updated correctly.
"second login" vs "UCC Client has to be restarted"?
additional information from the customer Ticket#2015040721000485 additional workaround: User in the UMC -> UNSET checkbox "change password on next login" -> save -> SET checkbox "change password on next login" -> save password change works without restart
UCC is EoL