First Last Prev Next    This bug is not in your last search results.
Bug 38826 - Password change is case sensitive
Password change is case sensitive
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-2-errata
Assigned To: Florian Best
Stefan Gohmann
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-03 07:54 CEST by Stefan Gohmann
Modified: 2017-11-20 12:06 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-07-03 07:54:59 CEST 
I've added a user Test.Eins and it seems the password change is case sensitive and kinit is case insensitive:

root@master931:~# kinit Test.Eins
Test.Eins@DEADLOCK93.INTRANET's Password:
kinit: krb5_get_init_creds: Password has expired
root@master931:~# kinit test.eins
test.eins@DEADLOCK93.INTRANET's Password:
kinit: krb5_get_init_creds: Password has expired
root@master931:~# kpasswd test.eins
test.eins@DEADLOCK93.INTRANET's Password:
Your password will expire at Tue Jun 30 02:00:00 2015

New password for test.eins@DEADLOCK93.INTRANET:
Verify password - New password for test.eins@DEADLOCK93.INTRANET:
kpasswd: krb5_set_password_using_ccache: Matching credential (kadmin/changepw@DEADLOCK93.INTRANET) not found
root@master931:~# kpasswd Test.Eins
Test.Eins@DEADLOCK93.INTRANET's Password:
Your password will expire at Tue Jun 30 02:00:00 2015

New password for Test.Eins@DEADLOCK93.INTRANET:
Verify password - New password for Test.Eins@DEADLOCK93.INTRANET:
Success : Password changed
root@master931:~#

Ticket #2015062221000256
Comment 1 Arvid Requate univentionstaff 2015-07-07 15:08:51 CEST 
Quoting https://ssimo.org/blog/id_016.html:

"Principal names are considered case sensitive by the reference implementation (MIT Kerberos) but some implementation treat them in a case-insensitive way (Active Directory for example). It is safer to always treat principal names in a case sensitive way. (Active Directory will generally always provide the canonicalized form in tickets although it may accept mismatching cases when requesting tickets)."

So we should maybe not adjust Heimdal (or MIT) Kerberos but rather canonicalize the name by other means before doing kpasswd (e.g. via the pam stack).
Comment 2 Florian Best univentionstaff 2015-07-15 11:43:11 CEST 
A ldap search for the uid attribute of the user is done now. The found value is used as username to change the password.

univention-management-console (7.1.63-22):
r62116 | Bug #38826: make password change case insensitive
Comment 3 Stefan Gohmann univentionstaff 2015-07-16 08:22:29 CEST 
Code review: OK: r62116 + r62122

Tests: OK

YAML: OK (small adjustments r62141)

Merge to UCS 4.1: OK
Comment 4 Janek Walkenhorst univentionstaff 2015-07-16 14:23:54 CEST 
<http://errata.univention.de/ucs/4.0/245.html>
First Last Prev Next    This bug is not in your last search results.