Bug 36317 - S4 connector removes shadowMax and shadowLastChange on password change via samba/kerberos
S4 connector removes shadowMax and shadowLastChange on password change via sa...
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 4.0-1-errata
Assigned To: Felix Botner
Stefan Gohmann
Depends on:
Blocks: 36215 38494 45760 47595
  Show dependency treegraph
Reported: 2014-10-27 17:47 CET by Felix Botner
Modified: 2018-09-05 00:53 CEST (History)
5 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2014-10-27 17:47:20 CET
The connector removes shadowMax and shadowLastChange if the password is set via samba. 

The connector should properly set these attributes

 -> shadowLastChange  (days since 1970-01-01 00:00:00 UTC)
 -> shadowMax keep if existing
Comment 1 Arvid Requate univentionstaff 2014-10-28 17:50:52 CET
Due to this bug login to UMC fails after UMC password change of an expired password. univention-managmenet-server.log shows:

31.10.14 19:19:16.371  AUTH        ( ERROR   ) : PAM: acct_mgmt error: ('Authentifizierungstoken ist nicht mehr g?ltig; neues erforderlich', 12)

Login works again after raising shadowLastChange (or removing pam_unix from the acct section of the pam stack).
Comment 2 Arvid Requate univentionstaff 2014-10-28 18:16:20 CET
Ignore comment 1, I had temporarily stopped the S4 connector on my testing system.
Comment 3 Tobias Birkefeld univentionstaff 2015-01-19 15:15:57 CET
Bug also seen in customer environment. Ticket#2014110621000331
Comment 4 Felix Botner univentionstaff 2015-03-03 13:39:41 CET
YAML: 2015-03-03-univention-s4-connector.yaml

The connector now always sets shadowLastChange to "days since epoch" and shadowMax to None or the value of the univentionPWExpiryInterval policy for this object.

test: 52_s4connector/401check_posix_pwd_expiry_after_ad_pwdchange


 * Without policy: shadowLastChange=now, no shadowMax after password change
   via s4

 * With policy: shadowLastChange=now, shadowMax=X after password change via S4

 * Without policy but with pwdChangeNextLogin=1: shadowLastChange=now, 
   no shadowMax after password change via s4

 * ...
Comment 5 Stefan Gohmann univentionstaff 2015-03-05 15:11:03 CET
As discussed, please set also krb5PasswordEnd.
Comment 6 Felix Botner univentionstaff 2015-03-05 18:03:41 CET
OK, the connector now sets krb5PasswordEnd if univentionPWExpiryInterval exists, otherwise krb5PasswordEnd is deleted.
Comment 7 Stefan Gohmann univentionstaff 2015-03-10 14:20:07 CET
YAML: OK (minor changes: r58827)

ucs-test: OK

Tests: OK

Code review: OK
Comment 8 Moritz Muehlenhoff univentionstaff 2015-03-11 15:09:09 CET