Bug 28331 – Samba Domänen Objekt und Password complexity

Bug 28331 - Samba Domänen Objekt und Password complexity


Summary:	Samba Domänen Objekt und Password complexity

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 4.0
Hardware:	Other Linux

Importance:	P5 enhancement (vote)
Target Milestone:	UCS 4.0-1-errata
Assigned To:	Felix Botner
QA Contact:	Stefan Gohmann

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2012-08-28 07:18 CEST by Stefan Gohmann
Modified:	2015-04-21 09:17 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2012-08-28 07:18:04 CEST

Das Attribut Passwort complexity sollte zum Samba Domänen Objekt hinzugefügt werden und auch im S4 Connector synchronisiert werden.

Comment 1 Tim Petersen

2014-11-20 09:56:22 CET

root@master:~# ucr get version/version 
4.0

root@master:~# udm settings/sambadomain list

DN: sambaDomainName=DOMAIN,cn=samba,dc=domain,dc=tim
ARG: None
  NextUserRid: 1000
  passwordHistory: 5
  SID: S-1-5-21-3862440394-1098682592-1530949938
  badLockoutAttempts: 1
  NextGroupRid: 1000
  passwordLength: 8
  resetCountMinutes: 2
  minPasswordAge: None
  name: DOMAIN
  lockoutDuration: 30 minutes
  refuseMachinePWChange: None
  NextRid: None
  disconnectTime: 4 seconds
  maxPasswordAge: 10 days
  logonToChangePW: None


Still not stored and synched in 4.0 - would really be nice!

Comment 2 Stefan Gohmann

2015-01-20 20:50:47 CET

Maybe as erratum for 4.0-1.

Comment 3 Felix Botner

2015-04-13 12:58:27 CEST

http://ldapwiki.willeke.com/wiki/PwdProperties

pwdProperties is bitfield to indicate complexity and storage restrictions.

Description:
 * DOMAIN_PASSWORD_COMPLEX 0x00000001L 
   The password must have a mix of at least two of the following types of 
   characters: Uppercase characters Lowercase characters Numerals
 * DOMAIN_PASSWORD_NO_ANON_CHANGE 0x00000002L
   The password cannot be changed without logging on. Otherwise, if your 
   password has expired, you can change your password and then log on.
 * DOMAIN_PASSWORD_NO_CLEAR_CHANGE 0x00000004L
   Forces the client to use a protocol that does not allow the domain 
   controller to get the plaintext password.
 * DOMAIN_LOCKOUT_ADMINS 0x00000008L
   Allows the built-in administrator account to be locked out from 
   network logons.
 * DOMAIN_PASSWORD_STORE_CLEARTEXT 0x00000010L
   The directory service is storing a plaintext password for all 
   users instead of a hash function of the password.
 * DOMAIN_REFUSE_PASSWORD_CHANGE 0x00000020L
   Removes the requirement that the machine account password be automatically 
   changed every week. This value should not be used as it can weaken security.

LDAP schema:
 * S4
   attributeTypes: ( 1.2.840.113556.1.4.93 NAME 'pwdProperties' 
   SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
 * AD
   attributeTypes: ( 1.2.840.113556.1.4.93 NAME 'pwdProperties' 
   SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )


ONLY domainPasswordComplex and domainPasswordStoreCleartext have been added here (as samba-tool only knows these two). These two are mapped to the domainPwdProperties UDM attribute (univentionSamba4pwdProperties in LDAP). And this domainPwdProperties is sync to S4.


YAML:

 * 2015-03-26-univention-ldap.yaml - 
   + added univentionSamba4pwdProperties 
     (integer, single value) attribute to sambaDomain object class,
   + added default (1) to samba domain object in base.ldif

 * 2015-03-27-univention-s4-connector.yaml
   + added sync of domainPwdProperties <-> pwdProperties in 
     univention/s4connector/s4/dc.py
   + the join script now sets domainPasswordComplex=1 for the UDM
     samba domain object (this is the default in s4) IF 
     connector/s4/allow/secondary is not TRUE (not a ucs@school slave)
   + postinst: set syncmode=write for sambadomain 
     (connector/s4/mapping/dc/syncmode) if connector/s4/allow/secondary 
     is TRUE (ucs@school slave)
   + postinst: for this update, resync sambadomain from s4 to UCS,
     if not connector/s4/allow/secondary (not a ucs@school slave)

 * 2015-03-27-univention-directory-manager-modules.yaml
   + added domainPasswordComplex (UMC, boolean) to sambadomain.py 
   + added domainPasswordStoreCleartext (UMC, boolean) to sambadomain.py 
   + domainPwdProperties (NOT in UMC, used by the connector) to sambadomain.py 


Tests:
 * update (of all packages) -> complexity should be in sync and 1
 * new installation -> complexity should be in sync and 1
 * sync mode on UCS@school slaves  should be write for 
   connector/s4/mapping/dc/syncmode

Comment 4 Felix Botner

2015-04-14 10:28:00 CEST

Removed the domainPasswordComplex default from the join script

-> univention-s4-connector 9.0.16-17.548.201504141005

Comment 5 Stefan Gohmann

2015-04-14 17:37:14 CEST

Test upgrade previously ON: OK

Test upgrade previously OFF: OK

Test new installation: OK

Code review: OK
 - univention-ldap: OK
 - univention-directory-manager: OK
 - univention-s4-connector: OK

YAML: OK

Comment 6 Janek Walkenhorst

2015-04-21 09:17:59 CEST

<http://errata.univention.de/ucs/4.0/153.html>
<http://errata.univention.de/ucs/4.0/154.html>
<http://errata.univention.de/ucs/4.0/160.html>