Univention Bugzilla – Bug 34478
Password complexity check triggers error in s4connector and prevents user sync
Last modified: 2014-05-07 15:25:58 CEST
If you use an UCS-System with English locals and activate the dictionary check, the s4 connector will not replicate users created with the AD-Tools. The issue is one of the password checks tries to replace Wörterbuch with W?rterbuch. With the ö in Wörterbuch creating an error. The Connector will then write the error in the log with the message that the pwQuality isn't fullfiled After disabeling the dictionary check, the issue resolves and the users are replicated. To Replicate it: Install master with Samba 4 Set the password complexity check and dictionary check Join English Windows 7 Install AD-User and Computer tools Create user in AD-Tools (using a compliant password) I didn't try to replicate the bug with a German language systems.
Can you append the connector and samba log files?
Created attachment 5852 [details] Connector Logs
Created attachment 5853 [details] Samba Logs
Logs are attached. The respective user is "testera" the password Uiaeo123snrt internally the systems are available at kkorte_samba4-test-*
Created attachment 5854 [details] bug34478_password_complexity.patch Thanks for the logs. Does the attached patch fix the problem for you? patch -d /usr/share/pyshared/ -p 1 <bug34478_password_complexity.patch service univention-s4-connector restart
Thanks for the fast patch. After applying the steps outlined, both rejected and new users are synchronized between S4 and OpenLDAP. Login works on both. Password change from the Windows, kpasswd and UMC as well.
We just observed this again in a customer samba3->samba4 migration test. Maybe we should think about adding and using a univention-lib function to generate a password according to the password policy for a given DN. For another proposal see also Bug 34067.
The patch has been applied: Code: r49469 YAML: r49471 I've also added a test case (r49470): 030_sync_with_activated_pwqualitycheck (In reply to Arvid Requate from comment #7) > We just observed this again in a customer samba3->samba4 migration test. > > Maybe we should think about adding and using a univention-lib function to > generate a password according to the password policy for a given DN. > For another proposal see also Bug 34067. Yes, that might be something for a later fix.
Verified: * The password complexity is improved significantly. * The test case works * YAML advisory ok.
http://errata.univention.de/ucs/3.2/107.html