Univention Bugzilla – Bug 46126
60_umc/07_expired_password / 60_umc/105_change_expired_password_fail_reason are failing in UCS 4.3
Last modified: 2018-03-14 14:38:26 CET
[2018-01-21 23:40:16.965218] ### Preparation: set fresh complex password via UMC login password change dialog (2018-01-21 23:40:18.843443) error 2018-01-21 23:40:18 Unexpected output returned by UMC during password change: 401 (2018-01-21 23:40:18.844358) error 2018-01-21 23:40:18 **************** Test failed above this line (110) ****************
The PAM stack of UMC doesn't detect a expired password anymore for a user with: --set pwdChangeNextLogin=1 --set locked=posix.
/var/log/auth.log during trying to authenticate via UMC: Jan 23 22:37:26 master110 python2.7: pam_unix(univention-management-console:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=foo Jan 23 22:37:26 master110 kpasswdd[999]: Changing password for foo@DEV2.LOCAL Jan 23 22:37:26 master110 kpasswdd[999]: <class 'univention.admin.uexceptions.pwalreadyused'> Jan 23 22:37:26 master110 kpasswdd[999]: Changing password for foo@DEV2.LOCAL Jan 23 22:37:26 master110 kpasswdd[999]: <class 'univention.admin.uexceptions.pwalreadyused'> Jan 23 22:37:26 master110 python2.7: pam_krb5(univention-management-console:auth): authentication failure; logname=foo uid=0 euid=0 tty= ruser= rhost=
Let's see if "build-package-architecture-ng -r 4.3 -p heimdal" on ladda helps. libpam-heimdal ships pam_krb5.so which was probably build before libpam-krb5 with the patch 001-fix-detection-of-expired-password.quilt. At least the build mails say so: libpam-krb5 04.02.2018 heimdal 08.12.2017
Building heimdal failed :-/
4 Tests in 60_umc/105_change_expired_password_fail_reason (on a System with Samba3) are also failing with the same reason.
When I downgrade the packages nothing changes: apt install heimdal-clients=1.6~rc2+dfsg-9A~4.2.0.201707121211 libpam-heimdal=4.6-3+b1A~4.2.0.201706020740
60_umc/104_expired_password is also failing on Samba3 with the same error.
Rebuild of heimdal + libpam-krb5 did not help.
As 07_expired_password is failing every release I added more verbosity to it: ucs-test (8.0.17-1) 3ff550e4624b | Bug #46126: enhance verbosity of 07_expired_password
The reason for the test to fail seems to be a defective curl statement in the test.
Ok, could you file a patch?
Successful build Package: ucs-test Version: 8.0.28-18A~4.3.0.201802161544 Branch: ucs_4.3-0 Scope: User: jahlers Host: dimma.knut.univention.de I repaired the test 60_umc/07_expired_password, I also already built it. It still fails though, but this time probably due to a bug in ucs. Changing of expired passwords seems to be broken, which is what both scripts test for.
root@ucs-4121:/usr/share/ucs-test/60_umc $ ./07_expired_password info 2018-02-19 15:51:42 create user jün2änht using udm-test users/user create --position=cn=users,dc=mydomain,dc=intranet --set username=jün2änht --set firstname=Max --set lastname=Muster --set organisation=firma.de_GmbH --set password=univention Object created: uid=jün2änht,cn=users,dc=mydomain,dc=intranet ### Preparation: Activate pwQualityCheck in policies/pwhistory ## Note: non-Samba4 DCs require this to activate univention.password.Check (for check_cracklib.py) info 2018-02-19 15:51:43 EXECUTING: udm-test 'policies/pwhistory' modify --dn "cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=mydomain,dc=intranet" --set pwQualityCheck=TRUE Object modified: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=mydomain,dc=intranet info 2018-02-19 15:51:43 policies/pwhistory object default-settings modified Create password/quality/credit/lower Create password/quality/credit/upper Create password/quality/credit/other Create password/quality/credit/digits ### Preparation: simulate password expiry info 2018-02-19 15:51:43 EXECUTING: udm-test 'users/user' modify --dn "uid=jün2änht,cn=users,dc=mydomain,dc=intranet" --set pwdChangeNextLogin=1 Object modified: uid=jün2änht,cn=users,dc=mydomain,dc=intranet info 2018-02-19 15:51:43 users/user object jün2änht modified debug 2018-02-19 15:51:44 Waiting for replication... OK: replication complete (nid=3268 lid=3268) info 2018-02-19 15:51:44 replication complete. debug 2018-02-19 15:51:44 Waiting for postrun... ### Preparation: set fresh complex password via UMC login password change dialog info 2018-02-19 15:52:01 Executing: curl -s -H 'Accept: application/json; q=1, */*' -H 'Accept-Language: en-US' --cookie-jar '/tmp/tmp.TugbL0fvn5' -H Content-Type:application/json -d {"options":{"username":"jün2änht","password":"univention","new_password":"Univention.1"}} http://localhost/univention/auth info 2018-02-19 15:52:01 Response was: {"status": 401, "message": "Changing password failed. The entered password does not match the current one.", "traceback": null, "location": "http://localhost/univention/auth"} error 2018-02-19 15:52:01 Unexpected output returned by UMC during password change: 401 error 2018-02-19 15:52:01 **************** Test failed above this line (110) **************** Unsetting password/quality/credit/lower Unsetting password/quality/credit/upper Unsetting password/quality/credit/other Unsetting password/quality/credit/digits info 2018-02-19 15:52:01 EXECUTING: udm-test 'policies/pwhistory' modify --dn "cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=mydomain,dc=intranet" --remove pwQualityCheck Object modified: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=mydomain,dc=intranet info 2018-02-19 15:52:02 policies/pwhistory object default-settings modified info 2018-02-19 15:52:02 remove user jün2änht Object removed: uid=jün2änht,cn=users,dc=mydomain,dc=intranet debug 2018-02-19 15:52:02 user jün2änht removed info 2018-02-19 15:52:02 checking whether the user jün2änht is really removed debug 2018-02-19 15:52:02 user jün2änht does not exist Starting 1 ucs-test at 2018-02-19 15:52:02 to /dev/null UCS 4.3-0-e0 ucs-test 8.0.28-19A~4.3.0.201802181157 Change of expired password at UMC logon (with password complexity)......................................................................................................... Test failed Feb 19 15:52:01 ucs-4121 python2.7: pam_unix(univention-management-console:account): expired password for user jün2änht (password aged) Feb 19 15:52:01 ucs-4121 python2.7: pam_unix(univention-management-console:chauthtok): user "jün2änht" does not exist in /etc/passwd Feb 19 15:52:01 ucs-4121 python2.7: pam_krb5(univention-management-console:chauthtok): pam_sm_chauthtok: entry (prelim) Feb 19 15:52:01 ucs-4121 python2.7: pam_krb5(univention-management-console:chauthtok): (user jün2änht) attempting authentication as jün2änht@MYDOMAIN.INTRANET for kadmin/changepw Feb 19 15:52:01 ucs-4121 python2.7: pam_krb5(univention-management-console:chauthtok): (user jün2änht) krb5_get_init_creds_password: KDC policy rejects request Feb 19 15:52:01 ucs-4121 python2.7: pam_krb5(univention-management-console:chauthtok): pam_sm_chauthtok: exit (failure)
changing password in umc seems to work now, but dictionary words are allowed for some reason (see bug 46131). Also the 'change password on next login' option does not reset after changing the password. Bug 46171 seems similar as well.
I fixed 07_expired_password, which constantly failed because the reporter of this bug explicitly locked the generated test account (commit 3f4bdc3d12). After that password changes via UMC don't work any more, because the account cannot authenticate any longer for the period of lockout. Samba by default has a "Account lockout duration" of 0, which means "forever" (MS AD seems to default to 1800 seconds). The other two test work for me (UCS 4.3 Master with Samba/AD): 60_umc/104_expired_password.py -f 60_umc/105_change_expired_password_fail_reason.py -f
Ok, I also can reproduce that 104_expired_password.py fails on a non-Samba UCS Master (and probably the 105_* check too). Strange stuff. After quite a bit of fruitless debugging I've asked Florian for advice. Somehow the password change doesn't remove the pwdChangeNextLogin=1 property (I guess that's backed by the LDAP attribute sambaPwdLastSet). I don't even see any users/user code getting executed for the UMC password change -- yet the password *is* changed. On a Samba/AD Master it simply works, I guess the S4-Connector sets that attribute to some useful value in that case.
fixed 105_change_expired_password_fail_reason.py e98850bfacefc034dfd57da0882ee1afbb50797a the fixture enabled_password_quality_checks (which enables univentionPWQualityCheck) has not been executed and therefor the REASON_DICTIONARY failed
Both tests seem to work now. They both passed all recent jenkins tests and my manual tests both with and without samba.
Commit e98850bfacefc034dfd57da0882ee1afbb50797a also removed these UCR settings: handler_set(['password/quality/credit/lower=1', 'password/quality/credit/upper=1', 'password/quality/credit/other=1', 'password/quality/credit/digits=1'])
(In reply to Arvid Requate from comment #19) > Commit e98850bfacefc034dfd57da0882ee1afbb50797a also removed these UCR > settings: > > handler_set(['password/quality/credit/lower=1', > 'password/quality/credit/upper=1', 'password/quality/credit/other=1', > 'password/quality/credit/digits=1']) this handler_set stuff was in the fixture enabled_password_quality_checks(), but the fixture itself wasn't used (in 4.2-3 and before thee98850bfacefc034dfd57da0882ee1afbb50797a change) so we removed something that wasn't used and has apperently no effect on the test (the test itself has not been modified), i think that is ok
Ah, ok.
UCS 4.3 has been released: https://docs.software-univention.de/release-notes-4.3-0-en.html https://docs.software-univention.de/release-notes-4.3-0-de.html If this error occurs again, please use "Clone This Bug".