Bug 48720 - "Benutzer muss Kennwort bei der nächsten Anmeldung ändern" not synced to UCS
"Benutzer muss Kennwort bei der nächsten Anmeldung ändern" not synced to UCS
Status: NEW
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-20 17:33 CET by Felix Botner
Modified: 2020-06-02 10:52 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2019-02-20 17:33:19 CET
Created a user in AD, then set "Benutzer muss Kennwort bei der nächsten Anmeldung ändern". I can still logon with that account (LDAP/Kerberos) in UCS.

UCS object:
shadowLastChange: 17947

AD object:
pwdLastSet: 0

So we do not properly sync pwdLastSet: 0 from AD to UCS.

(in an ideal world pwdlastset=0 would be shadowLastChange=0 in UCS

man shadow

date of last password change
           The date of the last password change, expressed as the number of days since Jan 1, 1970.

           The value 0 has a special meaning, which is that the user should change her password the next time she will log in the system.

           An empty field means that password aging features are disabled.
Comment 1 Arvid Requate univentionstaff 2020-06-02 10:52:59 CEST
Since I just visited that code: These UCR variables may affect things here (but probably are not enough):
 
* connector/ad/password/timestamp/check
* connector/ad/password/timestamp/syncreset/ucs
* connector/ad/password/timestamp/syncreset/ad