Univention Bugzilla – Bug 37916
60_umc.07_expired_password.test failed in AD member mode
Last modified: 2023-03-25 06:48:31 CET
The following test case failed in AD member mode: 60_umc.07_expired_password.test http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-1/job/AD%20Member%20MultiEnv/1/Mode=module,Version=w2k8r2-english-other-join-user/testReport/60_umc/07_expired_password/test/ Fehlermeldung Test failed Standard Ausgabe (STDOUT) Object created: uid=ü8ymbpäd,cn=users,dc=autotest222,dc=local ### Preparation: Activate pwQualityCheck in policies/pwhistory ## Note: non-Samba4 DCs require this to activate univention.password.Check (for check_cracklib.py) Object modified: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=autotest222,dc=local Create password/quality/credit/lower Create password/quality/credit/upper Create password/quality/credit/other Create password/quality/credit/digits ### Preparation: simulate password expiry Object modified: uid=ü8ymbpäd,cn=users,dc=autotest222,dc=local Waiting for replication: OK: replication complete (nid=9572 lid=9572) Done: replication complete. Waiting for postrun ### Preparation: set fresh complex password via UMC login password change dialog Unsetting password/quality/credit/lower Unsetting password/quality/credit/upper Unsetting password/quality/credit/other Unsetting password/quality/credit/digits LDAP Error: Invalid syntax: univentionPWQualityCheck: value #0 invalid per syntax Object removed: uid=ü8ymbpäd,cn=users,dc=autotest222,dc=local Standard Fehler (STDERR) info 2015-02-26 04:40:16 create user ü8ymbpäd error 2015-02-26 04:40:38 Unexpected output returned by UMC during password change: {"status": "411 Length Required", "message": "The authentication has failed, please login again"} error 2015-02-26 04:40:38 **************** Test failed above this line (110) **************** info 2015-02-26 04:40:38 remove user ü8ymbpäd debug 2015-02-26 04:40:38 user ü8ymbpäd removed info 2015-02-26 04:40:38 checking whether the user ü8ymbpäd is really removed debug 2015-02-26 04:40:38 user ü8ymbpäd does not exist
Please have a look.
Also happened on S3-Master now: http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-1/job/Autotest%20MultiEnv/26/SambaVersion=s3,Systemrolle=master/testReport/junit/60_umc/07_expired_password/test/
(In reply to Stefan Gohmann from comment #1) > Please have a look. Ok, so what happens at the moment (setup as jenkins *226 template with Win 2008R2 English): 1. Test creates a user via udm, as UCS is configured as AD Member there is no replication to AD, so user only exists in OpenLDAP; 2. The authentication of a newly created user works (checked manually, test doesn't make such a check); 3. The user can login and will see the "Password Change" module, but the password change won't work with a message: Die Anfrage konnte nicht ausgeführt werden. Fehlernachricht des Servers: Passwort ändern fehlgeschlagen. Der Grund konnte nicht festgestellt werden. Für den Fall, dass es hilft, hier die originale Fehlernachricht: Current Kerberos password --> looking into the /var/log/auth.log: Mar 6 09:46:53 admember226 python2.7: pam_unix(univention-management-console:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=Administrator Mar 6 09:46:53 admember226 python2.7: pam_krb5(univention-management-console:auth): user Administrator authenticated as Administrator@AUTOTEST226.LOCAL Mar 6 09:47:47 admember226 python2.7: pam_unix(univention-management-console:chauthtok): user "tä010öä6" does not exist in /etc/passwd Can be seen that Kerberos for Administrator works (and kinit Administrator respectively), but there seems to be no attempt of Kerberos authentication for the test user ("tä010öä6") done. The "kinit tä010öä6" won't work as well as the pam unix fails. Same case is demonstrated by the failed 01_base.90change_user_pwd_via_umcp test (Bug #37918) I assume that's the correct behavior since Windows AD DC does Kerberos authentication?
(In reply to Dmitry Galkin from comment #3) > I assume that's the correct behavior since Windows AD DC does Kerberos > authentication? Yes, that's correct. We need to create the User in the Windows Active Directory. Otherwise the user can't use Kerberos. I think we should modify the user creation. If the system is in the Active Directory Member Mode, the user should be created in Active Directory.
(In reply to Stefan Gohmann from comment #4) > (In reply to Dmitry Galkin from comment #3) > > I assume that's the correct behavior since Windows AD DC does Kerberos > > authentication? > > Yes, that's correct. We need to create the User in the Windows Active > Directory. Otherwise the user can't use Kerberos. > > I think we should modify the user creation. If the system is in the Active > Directory Member Mode, the user should be created in Active Directory. Ok, but it might be a bit too many changes to fit into this test: 1. The user should be created in AD, this can be done via existing ucs-windows-tools/windows-scripts/create-ad-users.vbs script. 2. All the user account changes that are done via udm-test now should be switched to similar but done on the Windows host in AD via VBS or Powershell and Winexe (for instance as https://technet.microsoft.com/en-us/library/dd391883%28v=ws.10%29.aspx). For instance following won't work: udm-test users/user modify --dn "$test_userdn" --set pwdChangeNextLogin=1 --set locked=posix >>> Value may not change: key=pwdChangeNextLogin old=None new=1 3. At the moment the authentication (Kerberos) of an AD user via UMC works, user can login into UMC and password change module appears, however the password change itself does not. The /var/log/auth.log says only: pam_unix(univention-management-console:chauthtok): user "test_ad_user31" does not exist in /etc/passwd and no kerberos messages can be seen, as setup is running in EC2 I don't have complete access to Windows host (2008R2 English), so cannot say if there is anything. The UMC just shows "Bad Request 400" and no message after 10-20 seconds. My suggestion is to skip the current test in AD Member mode and to write a new one that would only run in AD Member and in Python (as univention.winexe is already in Python). Should be also confirmed that the change of the AD user password via UMC works.
(In reply to Dmitry Galkin from comment #5) > My suggestion is to skip the current test in AD Member mode and to write a > new one that would only run in AD Member and in Python (as univention.winexe > is already in Python). Should be also confirmed that the change of the AD > user password via UMC works. Yes, I'm fine with your suggestion. You can use the tag skip_admember to skip the test case in AD member mode.
For this bug is no separate QA needed.