Univention Bugzilla – Bug 32227
Failing minimum password age check in Samba4 RC2
Last modified: 2013-11-19 06:44:19 CET
Password change against Samba4 RC2 is blocked sometimes due to the minimum password age constraint -- even though no such constraint was configured: ========================================================================== root@master110:~# kpasswd user1 user1@ARERR311I3.QA's Password: New password: Verify password - New password: Soft error : Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed. root@master110:~/src# samba-tool domain passwordsettings show Password informations for domain 'DC=arerr311i3,DC=qa' Password complexity: off Store plaintext passwords: off Password history length: 0 Minimum password length: 8 Minimum password age (days): 0 Maximum password age (days): 0 ========================================================================== log.samba shows: ========================================================================== ldb: ldb_asprintf/set_errstring: 0000052D: Constraint violation - check_password_restrictions: password is too young to change ========================================================================== This traces back to source4/dsdb/samdb/ldb_modules/password_hash.c The password change via kpasswd was only possible after manually faking an older pwdLastSet on the user account. I think this is not a heimdal problem as it works on a samba3 system: root@master82:~# kpasswd user1 user1@ARUCS310T5.QA's Password: New password for user1@ARUCS310T5.QA: Verify password - New password for user1@ARUCS310T5.QA: Success : Password changed
Could be a timezone issue: After setting a user password via UDM-CLI the OpenLDAP record shows: ================================================================= sambaPwdLastSet: 1375716545 # date -d @1375716545 --rfc-3339=s => 2013-08-05 11:29:05-04:00 root@master110:~/src/samba-4.1.0~rc2# date -R Mon, 05 Aug 2013 11:30:11 -0400 root@master110:~/src/samba-4.1.0~rc2# cat /etc/timezone America/New_York root@master110:~/src/samba-4.1.0~rc2# date -u Mon Aug 5 15:30:30 UTC 2013 ================================================================= The Samba4 record shows: ================================================================= pwdLastSet: 130202117450000000 # decoded (Note: timezone not converted to local time): # pwdLastSet: 2013-08-05 17:29:05 ================================================================= Password change worked after modifying pwdLastSet to represent a time slightly lower than 11:30. Btw. this is also reproducable with samba-tool: samba-tool user password -Uuser1%univention --newpassword=FooBar123
Created attachment 5368 [details] Patch for S4 Connector function samba2s4_time IIRC Active Directory times (at least pwdLastSet) is given in local time. Also s42samba_time(samba2s4_time(123456789)) must be == 123456789. The attached patch attempts to fix this.
Patch looks good. Please apply.
Checked in and built, changelog committed.
OK, the values are OK now. Changelog: OK
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".