Bug 41786 - Detection why password changing fails isn't working anymore
Detection why password changing fails isn't working anymore
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.2-0-errata
Assigned To: Florian Best
Felix Botner
: 44584 45102 (view as bug list)
Depends on:
Blocks: 36215
  Show dependency treegraph
Reported: 2016-07-13 13:29 CEST by Florian Best
Modified: 2020-06-22 18:13 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.171
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2016062921000116, 2016091321000622
Bug group (optional): Error handling, External feedback
Max CVSS v3 score:

Screenshot (10.38 KB, image/png)
2016-07-13 13:53 CEST, Florian Best

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2016-07-13 13:29:44 CEST
Currently UMC doesn't respond correctly if password changing fails.

UMC displays:
Passwort ändern fehlgeschlagen. Der Grund konnte nicht festgestellt werden. Für den Fall, dass es hilft, hier die originale Fehlernachricht: Errorcode 20: Stellen Sie sicher, dass der Kerberos-Dienst läuft oder informieren Sie einen Administrator.

With debug/level=4 the UMC reveals the following information:
Changing password of user 's6139'
PAM says: 'Schlechtes Passwort: Es ist zu kurz'
PAM says: 'Schlechtes Passwort: ist zu einfach'
PAM says: ': Password too short, password must be at least 6 characters long.'
Changing password failed (('Fehler beim ?ndern des Authentifizierungstoken', 20)). Prompts: [('Current Kerberos password: ', 1), ('Geben Sie ein neues Passwort ein: ', 1), ('Schlechtes Passwort: Es ist zu kurz', 3), ('Schlechtes Passwort: ist zu einfach', 3), ('Geben Sie das neue Passwort erneut ein: ', 1), (': Password too short, password must be at least 6 characters long.', 3)]
Comment 2 Florian Best univentionstaff 2016-07-13 13:33:00 CEST
The problem is that the output of pam_krb5 changed. We are parsing raw strings.
Comment 3 Florian Best univentionstaff 2016-07-13 13:53:47 CEST
Created attachment 7799 [details]

Hm, the screenshot shows more information. Nevertheless we should integrate the missing/changed prompts so that a more human-readable message is shown again.

And we should write a test case which covers every case (too-short, too-simple, kerberos (samba / ad), unix).
Comment 4 Florian Best univentionstaff 2016-07-13 14:10:17 CEST
 ': Password too short, password must be at least 6 characters long.'
 ': Password too short, password must be at least 8 characters long.'
 ': Password does not meet complexity requirements'
 'Schlechtes Passwort: Es basiert auf einem (umgekehrten) W?rterbucheintrag'
 'Schlechtes Passwort: Es basiert auf einem W?rterbucheintrag'
 'Schlechtes Passwort: Es ist VIEL zu kurz'
 'Schlechtes Passwort: Es ist zu kurz'
 'Schlechtes Passwort: ist dem alten zu ?hnlich'
 'Schlechtes Passwort: ist ein Palindrome'
 'Schlechtes Passwort: ist zu einfach'
 'Schlechtes Passwort: wurde gedreht'
 'Unable to reach any changepw server  in realm FOO.BAR'
Comment 6 Florian Best univentionstaff 2017-02-01 12:04:27 CET
01.02.17 11:57:05.827  AUTH        ( INFO    ) : PAM says: 'Your password will expire at Thu Jan  1 01:00:00 1970\n'
01.02.17 11:57:05.827  AUTH        ( INFO    ) : PAM says: 'Changing password'
01.02.17 11:57:05.870  AUTH        ( INFO    ) : PAM says: 'Error: Password does not meet complexity requirements\n'
Comment 7 Florian Best univentionstaff 2017-02-21 17:29:46 CET
This causes that the UMC displays a error message instead of changing/prompting for a new password.
Comment 8 Florian Best univentionstaff 2017-02-21 17:30:48 CET
This bug affects also the Self-Service "password change" functionality, as it uses the UMC to change the password.
Comment 9 Florian Best univentionstaff 2017-03-14 12:33:24 CET
# grep account /etc/pam.d/univention-management-console
→ reveals that we do pam_acct_mgmt with pam_unix.so, pam_ldap.so, pam_krb5.so

# dpkg -S pam_unix.so pam_krb5.so pam_ldap.so
libpam-modules:amd64: /lib/x86_64-linux-gnu/security/pam_unix.so
libpam-heimdal:amd64: /lib/x86_64-linux-gnu/security/pam_krb5.so
libpam-ldap:amd64: /lib/x86_64-linux-gnu/security/pam_ldap.so

# ucr set repository/online/sources=yes
# apt-get source libpam-ldap libpam-heimdal libpam-modules

The strings for pam_unix are translated via gettext, they can be found via:
rgrep '_("' pam-*
The german translations are in pam-*/po/de.po.
→ We should find a way to run PAM with locale C instead of the system locale so that this also works with a french UCS system.

The strings for pam_ldap can be extracted via (they seem untranslated):
# tar xvzf libpam-ldap-*/*tar.gz
# grep -A15 const.*policy_error_table pam_ldap-*/pam_ldap.c
# grep -C4 _conv_sendmsg pam_ldap-*/pam_ldap.c | grep '"' 

The strings for pam_krb5 can be extracted via:
# rgrep -C4 pamk5_conv libpam-krb5-*/ | grep '"'
→ This seems to be incomplete as pam_krb5 speaks with another library (heimdal-kdc)
# apt-get source heimdal-kdc
# rgrep 'N_(' heimdal-*/lib/krb5/changepw.c
→ This seems to be again incomplete as change_password_loop connects with a kerberos server.
→ The kerberos server can probably be Samba OR Active Directory - if the UCS system is configured as AD Member?!
→ So we must also collect the error messages from both of these components. How to do this?
Comment 10 Florian Best univentionstaff 2017-03-14 13:24:11 CET
Active Directory can be ignored as long as Bug #38082 is not fixed.

Samba4 KDC:
# apt-get source samba
# rgrep -A6 reject_string samba-*/source4/kdc/ | grep '"'

Heimdal: (/usr/lib/heimdal-servers/kpasswdd)
→ uses kadm5_check_password_quality() AND error messages from UDM!
# grep -C3 reply_priv heimdal-*/kpasswd/kpasswdd.c | grep '"'
# grep '"' heimdal-*/lib/kadm5/password_quality.c

What about Samba3?
Comment 11 Florian Best univentionstaff 2017-05-08 17:27:51 CEST
I extracted the following error messages:

Samba 4 KDC:
"Password too short, password must be at least %d characters long."
"Password too short"
"Password does not meet complexity requirements"
"Password is already in password history. New password must not match any of your %d previous passwords."
"Password is already in password history"
"Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed."

"Bad: new password must be different than the old one"
"Bad: new password cannot be a palindrome"
"Bad: new and old password must differ by more than just case"
"Bad: new and old password are too similar"
"Bad: new password is too simple"
"Bad: new password is just a wrapped version of the old one"
"You must choose a longer password"
"Password has been already used. Choose another."
"You must wait longer to change your password"
"is the same as the old one"
"is a palindrome"
"case changes only"
"is too similar to the old one"
"is too simple"
"is rotated"
"not enough character classes"
"contains too many same characters consecutively"
"contains too long of a monotonic character sequence"
"contains the user name in some form"
"Password has been already used. Choose another."
"Password has been already used."

"Insufficient Password Quality",
"Password Too Short",
"Password Too Young",
"Password Insufficient"

"Unable to reach any changepw server  in realm %s"

Heimal KDC:
"Password already used"
"Password is too short"
"The passwort didn't pass quality check"
"Password too short"
"Password doesn't meet complexity requirement.\n"
"Add more characters from at least %d of the\nfollowing classes:\n"
"1. English uppercase characters (A through Z)\n"
"2. English lowercase characters (a through z)\n"
"3. Base 10 digits (0 through 9)\n" 
"4. Nonalphanumeric characters (e.g., !, $, #, %%)"
Comment 12 Florian Best univentionstaff 2017-05-09 14:31:28 CEST
ucs-test (7.0.21-22):
r79244 | Bug #41786: error message differs for samba4 / plain heimdal
r79239 | Bug #41786: fix error message
r79070 | Bug #43859: Bug #41786: fix filename extension
r79064 | Bug #43859: Bug #41786: add missing executable flag
r79062 | Bug #43859: Bug #41786: add 60_umc/104_expired_password
r78992 | Bug #41786: add missing trailing dot

r78976 | Bug #41786: parse more PAM error messages when changing password fails

univention-management-console (9.0.80-11):
r79243 | Bug #41786: use the language of the currently logged in user
r79238 | Bug #41786: fix duplicated groupdict
r78976 | Bug #41786: parse more PAM error messages when changing password fails
Comment 13 Felix Botner univentionstaff 2017-06-02 13:43:19 CEST
OK - the reason for the failed password change is displayed in UMC 
     (although in english -> Bug #Univention)
OK - univention-management-console.yaml
Comment 14 Janek Walkenhorst univentionstaff 2017-06-15 17:57:54 CEST
Comment 15 Florian Best univentionstaff 2017-07-31 12:03:27 CEST
*** Bug 45102 has been marked as a duplicate of this bug. ***
Comment 16 Florian Best univentionstaff 2020-06-22 18:13:45 CEST
*** Bug 44584 has been marked as a duplicate of this bug. ***