Bug 41865 - Kerberos auth fails due to expired keys when maxPwdAge setting is too large (713239 days)
Kerberos auth fails due to expired keys when maxPwdAge setting is too large (...
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Florian Best
Arvid Requate
Depends on:
  Show dependency treegraph
Reported: 2016-07-27 19:33 CEST by Arvid Requate
Modified: 2018-02-14 13:31 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.229
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2016071121000755, 2017083121000393
Bug group (optional): Troubleshooting
Max CVSS v3 score:
requate: Patch_Available+

udm: set bounds on {min,max}PasswordAge (3.64 KB, patch)
2016-09-14 16:05 CEST, Lukas Oyen
Details | Diff
patch (1.21 KB, patch)
2017-12-07 18:39 CET, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-07-27 19:33:16 CEST
Ticket#2016071121000755 reported a case where Kerberos authentication failed for all users, claiming password expiry.

After a lot of digging we finally found "samba-tool domain passwordsettings show" reported:

Maximum password age (days): 10675199

But the tool itself denies setting this value:

root@master10:~# samba-tool domain passwordsettings set --max=10675199
ERROR: Maximum password age must be in the range of 0 to 999!

Apparently the value has been set via UMC LDAP by navigating to the objectclass=sambadomain object located below cn=samba,$ldap_base and adjusting the Maximum password age there to:

sambaMaxPwdAge: 922337203685 # seconds

This setting results in authentication failure due to "expired" password:

Administrator@AR41I1.QA's Password: 
kinit: krb5_get_init_creds: No ENC-TS found   (see Bug #41617)

Setting this to a lower value, e.g. 713238 days results in this strange message:

Administrator@AR41I1.QA's Password: 
Your password will expire at Thu Jan  1 01:00:00 1970

I would recommend that the UMC (or an UDM syntax) should restrict the value of sambaMaxPwdAge to be smaller than or equal to 999 days. That's the limit that samba-tool and MS GPOs allow, see link in URL field above.

Irrelevant nerdy details:

Starting with a sambaMaxPwdAge of 61623794715 seconds, the kinit fails (today) for my Administrator testaccount which has

pwdLastSet: 130927652850000000

Btw. sambaMaxPwdAge of 61623794715 seconds is synchronized to the Samba/AD domain base as maxPwdAge: -616237947150000000, yes, the minus is "normal".

I have no clue what limit is overflowing here.

I bet you are curious when that strange warning about 1970 appears? That starts to appear at sambaMaxPwdAge of 59488159515 seconds. Lower than that value, kerberos authentication worked without any warning in my test case. I have no plans to narrow this down to the minimal AD precision of 100 nanoseconds.

The difference between "warning" value and "failure" value is 24718 days.
Comment 1 Lukas Oyen univentionstaff 2016-09-14 16:05:19 CEST
Created attachment 8007 [details]
udm: set bounds on {min,max}PasswordAge

This patch adds new classes in univention-directory-manager-modules/modules/univention/admin/syntax.py to restrict the possible values for {min,max}PasswordAge.

# udm settings/sambadomain modify --set minPasswordAge=86227201 --dn=...
Invalid syntax: Minimum password age: Value out of bounds (0 - 86227200 seconds)
# udm settings/sambadomain modify --set maxPasswordAge=86313601 --dn=...
Invalid syntax: Maximum password age: Value out of bounds (0 - 86313600 seconds)
Comment 2 Arvid Requate univentionstaff 2017-08-14 17:13:17 CEST
Happened again with maxPasswordAge: 922337203685 days
Comment 3 Florian Best univentionstaff 2017-12-01 18:12:08 CET
As Lukas is not here anymore, please you apply his patch. Make an auto-PEP8 prior to that please. If you want we can also switch the Asignee-QA roles.
Comment 4 Arvid Requate univentionstaff 2017-12-04 14:15:42 CET
b458cf5bdc | Bug #41865: New syntax to restrict sambaMaxPwdAge and sambaMinPwdAge
69104893e0 | Bug #41865: Advisory
Comment 5 Florian Best univentionstaff 2017-12-04 17:18:03 CET
It's not possible to remove a currently set value anymore.
Comment 6 Florian Best univentionstaff 2017-12-07 18:39:16 CET
Created attachment 9307 [details]

My current patch would be this. I will apply it monday.
Comment 7 Florian Best univentionstaff 2017-12-13 11:09:05 CET
Applied the patch, merged to UCS 4.3, adjusted the YAML file.
Comment 8 Arvid Requate univentionstaff 2018-01-16 17:58:40 CET
Ok, works, I could remove a previously set excessively large value.
Comment 9 Arvid Requate univentionstaff 2018-02-14 13:31:31 CET