Bug 37916 - 60_umc.07_expired_password.test failed in AD member mode
60_umc.07_expired_password.test failed in AD member mode
Status: CLOSED WONTFIX
Product: UCS Test
Classification: Unclassified
Component: UMC
unspecified
Other Linux
: P5 normal (vote)
: ---
Assigned To: Dmitry Galkin
:
Depends on:
Blocks: 38178
  Show dependency treegraph
 
Reported: 2015-03-03 05:46 CET by Stefan Gohmann
Modified: 2023-03-25 06:48 CET (History)
2 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-03-03 05:46:17 CET
The following test case failed in AD member mode:

60_umc.07_expired_password.test

http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-1/job/AD%20Member%20MultiEnv/1/Mode=module,Version=w2k8r2-english-other-join-user/testReport/60_umc/07_expired_password/test/

Fehlermeldung

Test failed

Standard Ausgabe (STDOUT)

Object created: uid=ü8ymbpäd,cn=users,dc=autotest222,dc=local
### Preparation: Activate pwQualityCheck in policies/pwhistory
## Note: non-Samba4 DCs require this to activate univention.password.Check (for check_cracklib.py)
Object modified: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=autotest222,dc=local
Create password/quality/credit/lower
Create password/quality/credit/upper
Create password/quality/credit/other
Create password/quality/credit/digits
### Preparation: simulate password expiry
Object modified: uid=ü8ymbpäd,cn=users,dc=autotest222,dc=local
Waiting for replication:
OK: replication complete (nid=9572 lid=9572)
Done: replication complete.
Waiting for postrun
### Preparation: set fresh complex password via UMC login password change dialog
Unsetting password/quality/credit/lower
Unsetting password/quality/credit/upper
Unsetting password/quality/credit/other
Unsetting password/quality/credit/digits
LDAP Error: Invalid syntax: univentionPWQualityCheck: value #0 invalid per syntax
Object removed: uid=ü8ymbpäd,cn=users,dc=autotest222,dc=local

Standard Fehler (STDERR)

info 2015-02-26 04:40:16	 create user ü8ymbpäd
error 2015-02-26 04:40:38	 Unexpected output returned by UMC during password change: {"status": "411 Length Required", "message": "The authentication has failed, please login again"}
error 2015-02-26 04:40:38	 **************** Test failed above this line (110) ****************
info 2015-02-26 04:40:38	 remove user ü8ymbpäd
debug 2015-02-26 04:40:38	 user ü8ymbpäd removed
info 2015-02-26 04:40:38	 checking whether the user ü8ymbpäd is really removed
debug 2015-02-26 04:40:38	 user ü8ymbpäd does not exist
Comment 1 Stefan Gohmann univentionstaff 2015-03-03 05:46:33 CET
Please have a look.
Comment 3 Dmitry Galkin univentionstaff 2015-03-06 16:14:22 CET
(In reply to Stefan Gohmann from comment #1)
> Please have a look.

Ok, so what happens at the moment (setup as jenkins *226 template with Win 2008R2 English):

1. Test creates a user via udm, as UCS is configured as AD Member there is no replication to AD, so user only exists in OpenLDAP;

2. The authentication of a newly created user works (checked manually, test doesn't make such a check);

3. The user can login and will see the "Password Change" module, but the password change won't work with a message:

Die Anfrage konnte nicht ausgeführt werden.
Fehlernachricht des Servers:
Passwort ändern fehlgeschlagen. Der Grund konnte nicht festgestellt werden. Für den Fall, dass es hilft, hier die originale Fehlernachricht: Current Kerberos password

--> looking into the /var/log/auth.log:

Mar  6 09:46:53 admember226 python2.7: pam_unix(univention-management-console:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=Administrator
Mar  6 09:46:53 admember226 python2.7: pam_krb5(univention-management-console:auth): user Administrator authenticated as Administrator@AUTOTEST226.LOCAL

Mar  6 09:47:47 admember226 python2.7: pam_unix(univention-management-console:chauthtok): user "tä010öä6" does not exist in /etc/passwd


Can be seen that Kerberos for Administrator works (and kinit Administrator respectively), but there seems to be no attempt of Kerberos authentication for the test user ("tä010öä6") done. The "kinit tä010öä6" won't work as well as the pam unix fails.


Same case is demonstrated by the failed 01_base.90change_user_pwd_via_umcp test (Bug #37918)


I assume that's the correct behavior since Windows AD DC does Kerberos authentication?
Comment 4 Stefan Gohmann univentionstaff 2015-03-09 06:29:33 CET
(In reply to Dmitry Galkin from comment #3)
> I assume that's the correct behavior since Windows AD DC does Kerberos
> authentication?

Yes, that's correct. We need to create the User in the Windows Active Directory. Otherwise the user can't use Kerberos.

I think we should modify the user creation. If the system is in the Active Directory Member Mode, the user should be created in Active Directory.
Comment 5 Dmitry Galkin univentionstaff 2015-03-09 15:16:26 CET
(In reply to Stefan Gohmann from comment #4)
> (In reply to Dmitry Galkin from comment #3)
> > I assume that's the correct behavior since Windows AD DC does Kerberos
> > authentication?
> 
> Yes, that's correct. We need to create the User in the Windows Active
> Directory. Otherwise the user can't use Kerberos.
> 
> I think we should modify the user creation. If the system is in the Active
> Directory Member Mode, the user should be created in Active Directory.

Ok, but it might be a bit too many changes to fit into this test:

1. The user should be created in AD, this can be done via existing ucs-windows-tools/windows-scripts/create-ad-users.vbs script.

2. All the user account changes that are done via udm-test now should be switched to similar but done on the Windows host in AD via VBS or Powershell and Winexe (for instance as https://technet.microsoft.com/en-us/library/dd391883%28v=ws.10%29.aspx).

For instance following won't work:  udm-test users/user modify --dn "$test_userdn" --set pwdChangeNextLogin=1 --set locked=posix

>>> Value may not change: key=pwdChangeNextLogin old=None new=1

3. At the moment the authentication (Kerberos) of an AD user via UMC works, user can login into UMC and password change module appears, however the password change itself does not. The /var/log/auth.log says only:

pam_unix(univention-management-console:chauthtok): user "test_ad_user31" does not exist in /etc/passwd 

and no kerberos messages can be seen, as setup is running in EC2 I don't have complete access to Windows host (2008R2 English), so cannot say if there is anything. The UMC just shows "Bad Request 400" and no message after 10-20 seconds.


My suggestion is to skip the current test in AD Member mode and to write a new one that would only run in AD Member and in Python (as univention.winexe is already in Python). Should be also confirmed that the change of the AD user password via UMC works.
Comment 6 Stefan Gohmann univentionstaff 2015-03-09 15:20:17 CET
(In reply to Dmitry Galkin from comment #5)
> My suggestion is to skip the current test in AD Member mode and to write a
> new one that would only run in AD Member and in Python (as univention.winexe
> is already in Python). Should be also confirmed that the change of the AD
> user password via UMC works.

Yes, I'm fine with your suggestion. You can use the tag skip_admember to skip the test case in AD member mode.
Comment 7 Stefan Gohmann univentionstaff 2016-10-12 07:49:26 CEST
For this bug is no separate QA needed.