Univention Bugzilla – Bug 38826
Password change is case sensitive
Last modified: 2017-11-20 12:06:23 CET
I've added a user Test.Eins and it seems the password change is case sensitive and kinit is case insensitive: root@master931:~# kinit Test.Eins Test.Eins@DEADLOCK93.INTRANET's Password: kinit: krb5_get_init_creds: Password has expired root@master931:~# kinit test.eins test.eins@DEADLOCK93.INTRANET's Password: kinit: krb5_get_init_creds: Password has expired root@master931:~# kpasswd test.eins test.eins@DEADLOCK93.INTRANET's Password: Your password will expire at Tue Jun 30 02:00:00 2015 New password for test.eins@DEADLOCK93.INTRANET: Verify password - New password for test.eins@DEADLOCK93.INTRANET: kpasswd: krb5_set_password_using_ccache: Matching credential (kadmin/changepw@DEADLOCK93.INTRANET) not found root@master931:~# kpasswd Test.Eins Test.Eins@DEADLOCK93.INTRANET's Password: Your password will expire at Tue Jun 30 02:00:00 2015 New password for Test.Eins@DEADLOCK93.INTRANET: Verify password - New password for Test.Eins@DEADLOCK93.INTRANET: Success : Password changed root@master931:~# Ticket #2015062221000256
Quoting https://ssimo.org/blog/id_016.html: "Principal names are considered case sensitive by the reference implementation (MIT Kerberos) but some implementation treat them in a case-insensitive way (Active Directory for example). It is safer to always treat principal names in a case sensitive way. (Active Directory will generally always provide the canonicalized form in tickets although it may accept mismatching cases when requesting tickets)." So we should maybe not adjust Heimdal (or MIT) Kerberos but rather canonicalize the name by other means before doing kpasswd (e.g. via the pam stack).
A ldap search for the uid attribute of the user is done now. The found value is used as username to change the password. univention-management-console (7.1.63-22): r62116 | Bug #38826: make password change case insensitive
Code review: OK: r62116 + r62122 Tests: OK YAML: OK (small adjustments r62141) Merge to UCS 4.1: OK
<http://errata.univention.de/ucs/4.0/245.html>