Bug 44226 - Maximum password age and change on next login not enforced
Maximum password age and change on next login not enforced
Status: NEW
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 5.0
Other Linux
: P3 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-03 13:03 CEST by Arvid Requate
Modified: 2020-10-09 14:47 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.154
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020081921000491
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-04-03 13:03:43 CEST
Maximum password age and change password on next login is not enforced by Samba/AD in UCS 4.1-4 e407, tested with 1) Windows client 2) kinit 3) smbclient.

Example:
===========================================================================
date -s "Mon, 23 Nov 2015 21:06:52 GMT"
/etc/init.d/samba restart

udm users/user create --set username=user1 --set lastname=name1 \
  --set password=univention

samba-tool domain passwordsettings set --max-pwd-age=1

rdate -n 10.200.8.1
/etc/init.d/samba restart

kinit user1
smbclient //$(hostname -f)/user1 -Uuser1%univention
===========================================================================

As a first step, we should investigate when this regression started.
Comment 1 Arvid Requate univentionstaff 2017-04-03 13:54:22 CEST
It still worked with UCS 4.1-3 errata282 (samba 2:4.3.7-1.835.201607051244)
=============================================================================
root@master10:~# date
Mo 23. Nov 16:44:00 CET 2015
root@master10:~# udm users/user create --set username=user1 \
                  --set lastname=name1 \
                  --set password=univention
Object created: uid=user1,dc=ar41i1,dc=qa
root@master10:~# 
root@master10:~# samba-tool domain passwordsettings set --max-pwd-age=1
Maximum password age changed!
All changes applied successfully!
root@master10:~# kinit user1
user1@AR41I1.QA's Password: 
Your password will expire at Tue Nov 24 16:43:40 2015

root@master10:~# rdate -n 10.200.8.1
Mon Apr  3 13:14:07 CEST 2017
root@master10:~# kinit user1
user1@AR41I1.QA's Password: 
kinit: krb5_get_init_creds: No ENC-TS found
root@master10:~# smbclient //$(hostname -f)/user1 -Uuser1%univention
session setup failed: NT_STATUS_PASSWORD_EXPIRED
=============================================================================

With 4.1-4 errata353 (samba 2:4.5.1-1.848.201611070734) it doesn't.
Comment 2 Stefan Gohmann univentionstaff 2017-04-18 07:58:23 CEST
The Enterprise Customer affected flag is set but neither a Ticket number is referenced nor a Customer ID is set. Please set a Ticket number or a Customer ID. Otherwise the Enterprise Customer affected flag will be reset.
Comment 3 Arvid Requate univentionstaff 2017-10-23 16:56:13 CEST
Looks like --max-pwd-age=1 is special. with --max-pwd-age=2 it seems to work:

root@master10:~# samba-tool domain passwordsettings set --max-pwd-age=2
Maximum password age changed!
All changes applied successfully!
root@master10:~# kinit user1
user1@AR41I1.QA's Password: 
kinit: krb5_get_init_creds: Password has expired
root@master10:~# smbclient //$(hostname -f)/user1 -Uuser1%univention -c quit
Kinit for user1@AR41I1.QA to access master10.ar41i1.qa failed: Password has expired
session setup failed: NT_STATUS_PASSWORD_EXPIRED
root@master10:~# samba-tool domain passwordsettings set --max-pwd-age=1
Maximum password age changed!
All changes applied successfully!
root@master10:~# kinit user1
user1@AR41I1.QA's Password: 
root@master10:~# smbclient //$(hostname -f)/user1 -Uuser1%univention -c quit
root@master10:~#