Bug 35985 - Change of expired password via UMC not possible anymore
Change of expired password via UMC not possible anymore
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0
Assigned To: Florian Best
Arvid Requate
: interim-3
Depends on:
Blocks: 35847
  Show dependency treegraph
 
Reported: 2014-09-23 18:10 CEST by Florian Best
Modified: 2015-03-06 12:25 CET (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2014-09-23 18:10:56 CEST
The request for changing the password fails with the following response:
{"status": "411 Length Required", "message": "Current Kerberos password: "}

The "message" is the prompt from PAM which was unanswered. Seems something changed in the format in UCS 4.

The UMC only displays:
Authentifizierungsfehler
Das System erlaubt das Ändern des Passwortes nicht. Der Grund konnte nicht festgestellt werden.
Comment 1 Florian Best univentionstaff 2014-10-23 02:28:16 CEST
/var/log/auth.log says:
Oct 22 07:26:27 master3 python: pam_unix(univention-management-console:account): expired password for user disabled (password aged)
Oct 22 07:26:31 master3 python: pam_unix(univention-management-console:account): expired password for user disabled (password aged)
Oct 22 07:26:31 master3 python: pam_unix(univention-management-console:chauthtok): unrecognized option [min=4]
Oct 22 07:26:31 master3 python: pam_unix(univention-management-console:chauthtok): unrecognized option [max=32]
Oct 22 07:26:31 master3 python: pam_unix(univention-management-console:chauthtok): user "disabled" does not exist in /etc/passwd
Oct 22 07:26:31 master3 python: pam_unix(univention-management-console:chauthtok): unrecognized option [min=4]
Oct 22 07:26:31 master3 python: pam_unix(univention-management-console:chauthtok): unrecognized option [max=32]
Oct 22 07:26:31 master3 python: pam_unix(univention-management-console:chauthtok): user "disabled" does not exist in /etc/passwd
Comment 2 Florian Best univentionstaff 2014-10-23 02:52:56 CEST
In /etc/pam.d/univention-management-console is a option min=4 max=32.
The manpage of pam_unix tells nothing about these options. There is only "minlen" but nothing for "max". I guess we don't need this for local users, so we can remove those. After removing pam still fails to change the expired password → PAM thinks that the user is a local user and can't find it in /etc/passwd → why doesn't pam detect that it is a LDAP user?
Comment 3 Stefan Gohmann univentionstaff 2014-10-23 06:34:45 CEST
(In reply to Florian Best from comment #2)
> In /etc/pam.d/univention-management-console is a option min=4 max=32.
> The manpage of pam_unix tells nothing about these options. There is only
> "minlen" but nothing for "max". I guess we don't need this for local users,
> so we can remove those. After removing pam still fails to change the expired
> password → PAM thinks that the user is a local user and can't find it in
> /etc/passwd → why doesn't pam detect that it is a LDAP user?

If I remember it correctly, the user is found via getent passwd. Some time ago we added the host authentication data to libnss-ldap.conf and now getent shadow returns the userPassword as well. But I'm not complete sure if that is the reason for the problem. 

Here on my test system I was able to change the password via UMC login.
Comment 4 Stefan Gohmann univentionstaff 2014-10-23 07:12:26 CEST
I this case /usr/share/univention-directory-manager-tools/lock_expired_passwords should also be considered. It locks the user password if the password expired.

Nevertheless, if I add debug to pam_krb5, I see this

Oct 23 07:02:16 master701 python2.7: pam_unix(univention-management-console:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=stefan
Oct 23 07:02:16 master701 python2.7: pam_krb5(univention-management-console:auth): pam_sm_authenticate: entry
Oct 23 07:02:16 master701 python2.7: pam_krb5(univention-management-console:auth): (user stefan) attempting authentication as stefan@DEADLOCK70.INTRANET
Oct 23 07:02:16 master701 nscd: nss_ldap: reconnecting to LDAP server...
Oct 23 07:02:16 master701 nscd: nss_ldap: reconnected to LDAP server ldap://master701.deadlock70.intranet:7389 after 1 attempt
Oct 23 07:02:16 master701 python2.7: pam_krb5(univention-management-console:auth): (user stefan) krb5_get_init_creds_password: Generic error (see e-text)
Oct 23 07:02:16 master701 python2.7: pam_krb5(univention-management-console:auth): authentication failure; logname=stefan uid=0 euid=0 tty= ruser= rhost=
Oct 23 07:02:16 master701 python2.7: pam_krb5(univention-management-console:auth): pam_sm_authenticate: exit (failure)

It is similar to 

root@master701:~# kinit stefan
stefan@DEADLOCK70.INTRANET's Password:
kinit: krb5_get_init_creds: Password has expired
root@master701:~#

So, I think UMC should recognize the pam_krb5 return. If I add a user in 3.2 expire the password for this user and lock the user for POSIX, I could reproduce the behavior.
Comment 5 Stefan Gohmann univentionstaff 2014-10-23 07:19:14 CEST
We should also check the pam_krb5 options for defer_pwchange, fail_pwchange and force_pwchange.
Comment 6 Stefan Gohmann univentionstaff 2014-10-23 07:58:51 CEST
To make it a little bit more complicated it seems to depend on the kerberos server. Most tests work for me fine if I use the Samba 4 kerberos server.
Comment 7 Florian Best univentionstaff 2014-10-28 13:13:00 CET
Fixed in svn55018.
Comment 8 Arvid Requate univentionstaff 2014-11-03 17:16:29 CET
Ok, works and changelog is ok.

Testcase: 60_umc/07_expired_password
Comment 9 Arvid Requate univentionstaff 2014-11-03 17:19:11 CET
See Bug 36319 Comment 1 for details.
Comment 10 Stefan Gohmann univentionstaff 2014-11-26 06:54:11 CET
UCS 4.0-0 has been released:
 http://docs.univention.de/release-notes-4.0-0-en.html
 http://docs.univention.de/release-notes-4.0-0-de.html

If this error occurs again, please use "Clone This Bug".