Bug 24185 - Account deactivation is set wrong when setting Account expiry date
Account deactivation is set wrong when setting Account expiry date
Status: RESOLVED DUPLICATE of bug 39817
Product: UCS
Classification: Unclassified
Component: UMC - Users
UCS 4.2
Other Linux
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
:
Depends on:
Blocks: 45467
  Show dependency treegraph
 
Reported: 2011-10-25 13:35 CEST by Felix Botner
Modified: 2018-04-13 13:30 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.114
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2011-10-25 13:35:59 CEST
Ich habe einen Benutzer für den die Konto-Deaktivierung auf "Alle deaktiviert" steht (disabled: all). Wenn ich nun ein (vorhandenes) Kontoablauf-Datum ändere, wird die Konto-Deaktivierung automatisch auf "Windows and Kerberos disabled" gesetzt (disabled: windows_kerberos).
Comment 1 Philipp Hahn univentionstaff 2014-11-17 14:09:54 CET
Still applies to UCS-4.0.
Might be relevant for Bug #36747.
Comment 2 Florian Best univentionstaff 2017-02-18 04:49:17 CET
*** Bug 33394 has been marked as a duplicate of this bug. ***
Comment 3 Stefan Gohmann univentionstaff 2017-06-16 20:40:44 CEST
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
Comment 4 Florian Best univentionstaff 2017-08-30 10:54:11 CEST

*** This bug has been marked as a duplicate of bug 45287 ***
Comment 5 Florian Best univentionstaff 2017-09-26 18:21:01 CEST
Not a exact duplicate but similar.
Comment 6 Florian Best univentionstaff 2017-09-26 18:26:17 CEST
root@master:~# udm users/user create --set username=bug24185 --set lastname=foo --set password=univention                                                                                                                                                                        
Object created: uid=bug24185,dc=school,dc=local
root@master:~# univention-ldapsearch -b uid=bug24185,dc=school,dc=local > 1.ldif
root@master:~# udm users/user modify --dn uid=bug24185,dc=school,dc=local --set disabled=all --set userexpiry=2017-10-10                                                                                                                                                         
Object modified: uid=bug24185,dc=school,dc=local
root@master:~# univention-ldapsearch -b uid=bug24185,dc=school,dc=local > 2.ldif                                                                                                                                                                                                 
root@master:~# udm users/user list --position uid=bug24185,dc=school,dc=local | grep -e disabled -e userexpiry                                                                                                                                                                   
  disabled: windows_kerberos
  userexpiry: 2017-10-10
root@master:~# ldiff 1.ldif 2.ldif 
dn: uid=bug24185,dc=school,dc=local
+shadowExpire: 17449
+sambaKickoffTime: 1507586400
+sambaAcctFlags: [UD         ]
-sambaAcctFlags: [U          ]
+krb5ValidEnd: 20171010000000Z
+krb5KDCFlags: 254
-krb5KDCFlags: 126
root@master:~# udm users/user modify --dn uid=bug24185,dc=school,dc=local --set disabled=all
Object modified: uid=bug24185,dc=school,dc=local
root@master:~# univention-ldapsearch -b uid=bug24185,dc=school,dc=local > 3.ldif                                                                                                                                                                                                 
root@master:~# udm users/user list --position uid=bug24185,dc=school,dc=local | grep -e disabled -e userexpiry                                                                                                                                                         
  disabled: all
  userexpiry: 2017-10-10
root@master:~# ldiff 2.ldif 3.ldif 
dn: uid=bug24185,dc=school,dc=local
-shadowExpire: 17449
+shadowExpire: 1
Comment 7 Florian Best univentionstaff 2017-09-26 19:06:29 CEST
The code is the following:
https://git.knut.univention.de/univention/ucs/blob/4.2-2/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py#L2290

If userexpiry is set then shadowExpire is set to that date. This is imho also correct behavior.

Maybe we could instead check if the set date in shadowExpire is in the past and append posix to "disabled" in that case. Then the displaying in UMC is at least correct if the user account is already expired.
Comment 8 Florian Best univentionstaff 2017-09-26 19:08:05 CEST
(In reply to Florian Best from comment #7)
> Maybe we could instead check if the set date in shadowExpire is in the past
> and append posix to "disabled" in that case. Then the displaying in UMC is
> at least correct if the user account is already expired.
Hmm, this seems to be already the case?!:
open():
1607 »   »   »   »   if shadowExpire == '1' or (shadowExpire < int(time.time() / 3600 / 24) and (self._is_kerberos_disabled() or self._is_windows_disabled())):
1608 »   »   »   »   »   self.__add_disabled('posix')
Comment 9 Philipp Hahn univentionstaff 2017-09-27 08:47:43 CEST
(In reply to Florian Best from comment #8)
> Hmm, this seems to be already the case?!:
> open():
> 1607 »   »   »   »   if shadowExpire == '1' or (shadowExpire <
> int(time.time() / 3600 / 24) and (self._is_kerberos_disabled() or
> self._is_windows_disabled())):
> 1608 »   »   »   »   »   self.__add_disabled('posix')

I would have expected something like this:
_is_kerberos_disabled() -> self._add_disabled('kerberos')?
_is_windows_disbaled() -> self._add_disabled('windows')?

(In reply to Florian Best from comment #7)
> Maybe we could instead check if the set date in shadowExpire is in the past
> and append posix to "disabled" in that case.

I would name it "expired" if now() > shadowExpire, as that makes it clearer, that the account expired (automatically) through the set expiry date, rather then being disabled manually by the admin .
Comment 10 Florian Best univentionstaff 2017-10-06 11:29:07 CEST
(In reply to Philipp Hahn from comment #9)
> (In reply to Florian Best from comment #8)
> > Hmm, this seems to be already the case?!:
> > open():
> > 1607 »   »   »   »   if shadowExpire == '1' or (shadowExpire <
> > int(time.time() / 3600 / 24) and (self._is_kerberos_disabled() or
> > self._is_windows_disabled())):
> > 1608 »   »   »   »   »   self.__add_disabled('posix')
> 
> I would have expected something like this:
> _is_kerberos_disabled() -> self._add_disabled('kerberos')?
> _is_windows_disbaled() -> self._add_disabled('windows')?
Well, this is already done, too:
  1587 »   »   »   »   »   »   if acctFlags['D'] == 1:
  1588 »   »   »   »   »   »   »   self.__add_disabled('windows')

  1602 »   »   »   »   if kdcflags == '254':
  1603 »   »   »   »   »   self.__add_disabled('kerberos')
Comment 11 Florian Best univentionstaff 2018-01-31 15:16:06 CET

*** This bug has been marked as a duplicate of bug 39817 ***