Bug 43859 - Changing expired password not possible with pam_krb5
Changing expired password not possible with pam_krb5
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-0-errata
Assigned To: Florian Best
Felix Botner
:
: 38082 44539 (view as bug list)
Depends on:
Blocks: 44584 44582 44744
  Show dependency treegraph
 
Reported: 2017-03-15 06:18 CET by Stefan Gohmann
Modified: 2017-08-14 15:12 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.137
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2017-03-15 06:18:29 CET
Please fix the test or fix the product or in case it is not so important disable the test case.

http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-0/job/AutotestJoin/75/SambaVersion=s3,Systemrolle=master/testReport/


*** BEGIN *** ['/bin/bash', '07_expired_password'] ***
*** 60_umc/07_expired_password *** Change of expired password at UMC logon (with password complexity) ***
*** START TIME: 2017-03-14 15:58:22 ***
info 2017-03-14 15:58:23	 create user 0whx8mf6
Object created: uid=0whx8mf6,cn=users,dc=autotest090,dc=local
### Preparation: Activate pwQualityCheck in policies/pwhistory
## Note: non-Samba4 DCs require this to activate univention.password.Check (for check_cracklib.py)
Object modified: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=autotest090,dc=local
Create password/quality/credit/lower
Create password/quality/credit/upper
Create password/quality/credit/other
Create password/quality/credit/digits
### Preparation: simulate password expiry
Object modified: uid=0whx8mf6,cn=users,dc=autotest090,dc=local
debug 2017-03-14 15:58:25	 Waiting for replication...
CRITICAL: no change of listener transaction id for last 0 checks (nid=12630 lid=12619)
OK: replication complete (nid=12630 lid=12630)
info 2017-03-14 15:58:27	 replication complete.
debug 2017-03-14 15:58:27	 Waiting for postrun...
### Preparation: set fresh complex password via UMC login password change dialog
error 2017-03-14 15:58:46	 Unexpected output returned by UMC during password change: {"status": 401, "message": "The authentication has failed, please login again.", "location": "http://localhost/univention/auth"}
error 2017-03-14 15:58:46	 **************** Test failed above this line (110) ****************
Unsetting password/quality/credit/lower
Unsetting password/quality/credit/upper
Unsetting password/quality/credit/other
Unsetting password/quality/credit/digits
LDAP Error: Invalid syntax: univentionPWQualityCheck: value #0 invalid per syntax
info 2017-03-14 15:58:46	 remove user 0whx8mf6
Object removed: uid=0whx8mf6,cn=users,dc=autotest090,dc=local
debug 2017-03-14 15:58:46	 user 0whx8mf6 removed
info 2017-03-14 15:58:46	 checking whether the user 0whx8mf6 is really removed
debug 2017-03-14 15:58:47	 user 0whx8mf6 does not exist
*** END TIME: 2017-03-14 15:58:47 ***
*** TEST DURATION (H:MM:SS.ms): 0:00:24.915371 ***
*** END *** 110 ***
Comment 1 Florian Best univentionstaff 2017-03-15 11:39:47 CET
I guess this might be caused by Bug #36215.
Comment 2 Florian Best univentionstaff 2017-03-16 16:50:38 CET
The test case fails because of the new password is not complex enough.
Comment 3 Florian Best univentionstaff 2017-03-16 19:01:39 CET
(In reply to Florian Best from comment #2)
> The test case fails because of the new password is not complex enough.
No, this comment was wrong:

* The test case never run under UCS 4.1-4 due to Bug #39382
* The test case contains errors such as parsing JSON as python which fails and treating HTTP "200 OK" responses as "401" if they contain a response body.
→ Fixed in:

UCS 4.2-0 ucs-test (7.0.18-2):
r77832 | Bug #43859: fix test case 07_expired_password

UCS 4.1-4 ucs-test (6.0.37-60):
r77834 | Bug #43859: fix test case 07_expired_password

* The UMC-Server doesn't respond currently with "Your password is expired" and a password change is therefore not possible. This is because the PAM module pam_krb5 does NOT respond correctly with "PAM_SUCCESS" (but with "PAM_AUTH_ERR") in pam_sm_authenticate() but tries to change the password immediately and fails because no new password is entered and therefore pam_sm_acct_mgmt() is never called. → Similar to Bug #38082, I am currently unsure if that patch helps there, my local tests with that patch didn't help. UMC shows the prompts of pam_krb5 as following:
PAM says: 'Your password will expire at Thu Jan  1 01:00:00 1970\n'
PAM says: 'Changing password'
PAM says: 'Error: Password does not meet complexity requirements\n'
PAM: authentication error: ('Fehler bei Authentifizierung', 7)
Comment 4 Stefan Gohmann univentionstaff 2017-03-22 08:23:24 CET
As discussed, it seems to be no regression in UCS 4.2, so please move it to errata.
Comment 5 Florian Best univentionstaff 2017-03-23 13:23:29 CET
Move to UCS 4.2-0 errata.

r17425 | fbest | 2017-03-23 13:19:37 +0100 (Do, 23. Mär 2017) | 2 Zeilen
Bug #43859: revert patches

heimdal 1.6~rc2+dfsg-9A~4.2.0.201703231320
Comment 6 Florian Best univentionstaff 2017-04-25 18:21:11 CEST
Committed revision 17479.
A patch has been found and merged
Cherry picked package heimdal[81937] version 1.6~rc2+dfsg-9 from 4.2-0-0[78]/None[0] to 4.2[78]/errata4.2-0[452]

heimdal.yaml:
r78926 | YAML Bug #43859
Comment 7 Florian Best univentionstaff 2017-04-28 10:59:59 CEST
svn: URL 'svn+ssh://build@billy.knut.univention.de/var/svn/patches/libpam-krb5' non-existent in that revision
There are no patches for this package
Cherry picked package libpam-krb5[83641] version 4.6-3 from 4.2-0-0[78]/None[0] to 4.2[78]/errata4.2-0[452]
Comment 8 Florian Best univentionstaff 2017-04-28 14:25:18 CEST
With the current state pam_authenticate() and pam_acct_mgmt() seem to work very nice when adding 'defer_pwchange' to the PAM configuration. But changing the password still fails with:
PAM.error: ('Authentication token is no longer valid; new one required', 12)
Comment 9 Florian Best univentionstaff 2017-05-05 11:39:44 CEST
*** Bug 44539 has been marked as a duplicate of this bug. ***
Comment 10 Florian Best univentionstaff 2017-05-08 18:00:36 CEST
I wrote 33 test cases, which cover different combination of posix and samba users:
18 of them are failing on Samba 4.
11 of them are failing on Samba 3.

This seem to have to do with the stacking of the PAM modules in the account section.
Comment 11 Florian Best univentionstaff 2017-05-11 17:40:28 CEST
*** Bug 38082 has been marked as a duplicate of this bug. ***
Comment 12 Florian Best univentionstaff 2017-05-11 18:15:28 CEST
The problem lie in pam-krb5 and heimdal.
1. heimdal: The upstream patch from Bug #38082 has been applied.
2. pam-krb5: https://github.com/rra/pam-krb5/pull/8 patch has been applied.
→ Our /etc/krb5.conf contains proxiable = true in the "[libdefaults]" section.
This is disabled in the patch. kpasswd could change the password because there the same is already done in the code: https://github.com/heimdal/heimdal/blob/master/kpasswd/kpasswd.c#L150
The patch is not reviewed upstream yet.

ucs-test (7.0.21-24):
r79070 | Bug #43859: Bug #41786: fix filename extension
r79064 | Bug #43859: Bug #41786: add missing executable flag
r79062 | Bug #43859: Bug #41786: add 60_umc/104_expired_password
r77832 | Bug #43859: fix test case 07_expired_password

libpam-krb5.yaml:
r78991 | YAML Bug #43859

univention-management-console.yaml:
r79015 | YAML Bug #44217 Bug #44450 Bug #43859

univention-management-console (9.0.80-11):
r79087 | Bug #43859: change account 'required' back to 'sufficient'
r79063 | Bug #43859: enable defer_pwchange for pam_krb5 authentication modules
r79014 | Bug #43859: enable defer_pwchange for pam_krb5 authentication modules

heimdal.yaml:
r78926 | YAML Bug #43859

(In reply to Florian Best from comment #10)
> I wrote 33 test cases, which cover different combination of posix and samba
> users:
> 18 of them are failing on Samba 4.
> 11 of them are failing on Samba 3.
> 
> This seem to have to do with the stacking of the PAM modules in the account
> section.
There are still a lot of failing cases, which I will disable, they are part of Bug #44582.
Comment 13 Florian Best univentionstaff 2017-05-31 16:54:12 CEST
To reproduce this:
udm users/user create --set username=test1 --set password=univention --set lastname=foo --set pwdChangeNextLogin=1 --set locked=posix
Then login into UMC with test1.
Expected result: A dialog to change the expired password is shown.
Actual result: UMC tells "authentication failed".
Comment 14 Felix Botner univentionstaff 2017-06-01 18:18:31 CEST
fix: 4.6-3A~4.2.0.201705082217

apt-cache policy libpam-heimdal 
libpam-heimdal:
  Installiert:           4.6-3+b1
  Installationskandidat: 4.6-3+b1
  Versionstabelle:
 *** 4.6-3+b1 0
        100 /var/lib/dpkg/status
     4.6-3A~4.2.0.201705082217 0
        500 http://192.168.0.10/build2/ ucs_4.2-0-errata4.2-0/amd64/ Packages
     4.6-3A~4.2.0.201703231343 0
        500 https://updates.software-univention.de/4.2/maintained/ 4.2-0/amd64/ Packages
     4.6-1.22.201403250545 0
        500 https://updates.software-univention.de/4.0/maintained/ 4.0-0/amd64/ Packages
Comment 15 Florian Best univentionstaff 2017-06-02 07:47:34 CEST
I build the package with version 4.6-3+b1A~4.2.0.201706020740.
Comment 16 Florian Best univentionstaff 2017-06-02 10:52:25 CEST
There are some tests failing on Samba4. These are mainly two different cases:
* a user with all options can't change his password. I marked the test as XFAIL. 
* a user with only kerberos and posix option can't change his password.
I don't think it's a regression.

ucs-test (7.0.21-32):
r80007 | Bug #43859: xfail current failing tests
Comment 17 Florian Best univentionstaff 2017-06-02 11:27:19 CEST
(In reply to Florian Best from comment #16)
> There are some tests failing on Samba4. These are mainly two different cases:
> * a user with all options can't change his password. I marked the test as
> XFAIL. 
> * a user with only kerberos and posix option can't change his password.
> I don't think it's a regression.
> 
> ucs-test (7.0.21-32):
> r80007 | Bug #43859: xfail current failing tests

We found the reason for the failing tests:
* missing wait_for_connection_replication()
* Bug #43524

ucs-test (7.0.21-33):
r80008 | Bug #43859: wait for s4-connector replication
Comment 18 Felix Botner univentionstaff 2017-06-02 13:24:13 CEST
OK - libpam-krb5.yaml
OK - heimdal.yaml
OK - univention-management-console.yaml

OK - password change via UMC 
OK - password change via UMC (s4)

OK - ucs-test

TODO jenkins
Comment 19 Felix Botner univentionstaff 2017-06-07 11:57:27 CEST
The new password tests still fail, http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-0/job/AutotestJoin/lastCompletedBuild/testReport/

but as discussed i created Bug #44744 for that.
Comment 20 Janek Walkenhorst univentionstaff 2017-06-15 13:31:07 CEST
Mismatching binary package version: 4.6-3+b1A~4.2.0.201706020740 != libpam-heimdal 4.6-3+b1 from libpam-krb5 4.6-3
Comment 21 Florian Best univentionstaff 2017-06-15 13:35:28 CEST
(In reply to Janek Walkenhorst from comment #20)
> Mismatching binary package version: 4.6-3+b1A~4.2.0.201706020740 !=
> libpam-heimdal 4.6-3+b1 from libpam-krb5 4.6-3

The version is correct in the YAML:

$ apt-cache policy libpam-heimdal 
libpam-heimdal:
  Installiert:           4.6-3+b1A~4.2.0.201706020740
  Installationskandidat: 4.6-3+b1A~4.2.0.201706020740
  Versionstabelle:
 *** 4.6-3+b1A~4.2.0.201706020740 0
        500 http://omar.knut.univention.de/build2/ ucs_4.2-0-errata4.2-0/amd64/ Packages
        100 /var/lib/dpkg/status
     4.6-3A~4.2.0.201703231343 0
        500 https://updates.software-univention.de/4.2/maintained/ 4.2-0/amd64/ Packages
     4.6-1.22.201403250545 0
        500 https://updates.software-univention.de/4.0/maintained/ 4.0-0/amd64/ Packages

$ git grep 4.6-3+b1A~4.2.0.201706020740
libpam-krb5.yaml:fix: 4.6-3+b1A~4.2.0.201706020740
Comment 22 Felix Botner univentionstaff 2017-06-15 16:53:55 CEST
OK - errata tests
Comment 24 Florian Best univentionstaff 2017-08-14 15:12:01 CEST
It has been fixed upstream:

https://github.com/rra/pam-krb5/commit/bf8f521d785036082425e052b290363af94ba6c5