Univention Bugzilla – Bug 43034
shadowMax not updated directly when univentionPolicyPWHistory is modified
Last modified: 2019-01-03 07:18:16 CET
If a customer changes the univentionPWExpiryInterval in samba as well as in Ldap these changes effects the login on Windows Clients immediately but in Ldap not until the user changed his password. Situation: passwordinterval was set to 70 days and is now set to 180 days For the customer this is elusive, because the password expires earlier for requests against Ldap (70) but does not expire for the Windows login (here the new interval is active (180)). ---------------------------------------------------------------------------- univention-ldapsearch -b cn=test,cn=pwhistory,cn=users,cn=policies,dc=beispiel,dc=de # test, pwhistory, users, policies, beispiel.de dn: cn=test,cn=pwhistory,cn=users,cn=policies,dc=beispiel,dc=de cn: test objectClass: top objectClass: univentionPolicy objectClass: univentionPolicyPWHistory objectClass: univentionObject univentionObjectType: policies/pwhistory univentionPWHistoryLen: 10 univentionPWExpiryInterval: 180 univentionPWQualityCheck: TRUE univentionPWLength: 8 ---------------------------------------------------------------------------- univention-ldapsearch -b cn=test,cn=pwhistory,cn=users,cn=policies,dc=beispiel,dc=de + dn: cn=test,cn=pwhistory,cn=users,cn=policies,dc=beispiel,dc=de entryUUID: aadfb36e-b57e-1033-85c4-592796308b3c createTimestamp: 20140811083852Z structuralObjectClass: univentionPolicyPWHistory creatorsName: uid=Administrator,cn=users,dc=beispiel,dc=de [...] modifyTimestamp: 20160801065107Z entryDN: cn=test,cn=pwhistory,cn=users,cn=policies,dc=beispiel,dc=de subschemaSubentry: cn=Subschema hasSubordinates: FALSE ---------------------------------------------------------------------------- samba-tool domain passwordsettings show Password informations for domain 'DC=beispiel,DC=de' Password complexity: on Store plaintext passwords: off Password history length: 10 Minimum password length: 8 Minimum password age (days): 0 Maximum password age (days): 179 Account lockout duration (mins): 0 Account lockout threshold (attempts): 0 Reset account lockout after (mins): 30 ---------------------------------------------------------------------------- snippet ldapsearch user: shadowLastChange: 16996 shadowMax: 70 krb5PasswordEnd: 20160922000000Z sambaPwdLastSet: 1468508046
To fix this, some program would need to adjust the shadowMax value on all user objects that are connected with a particular UDM policy of objectClass univentionPolicyPWHistory. This would be required whenever 1. such a policy is changed 2. a policy Link is changed 3. a user object is moved to a different LDAP branch Alternatively, it could be done with a cron job.
Also krb5PasswordEnd would need to be adjusted. As a kludge, one could use shadowLastChange, add the new shadowMax and set krb5PasswordEnd accordingly. And then you still have the issue that the univentionPWExpiryInterval *should* match the sambaMaxPwdAge specified on the sambaDomain object (in OpenLDAP), which is used by Samba to determine if sambaPwdLastSet + sambaMaxPwdAge > now(). See also Bug 35809 for a general approach to this.
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.