Bug 44470 - synchronize the PAM/s3/s4 password policies
synchronize the PAM/s3/s4 password policies
Status: NEW
Product: UCS
Classification: Unclassified
Component: UMC - Change password
UCS 5.0
Other Linux
: P5 major (vote)
: ---
Assigned To: UMC maintainers
UMC maintainers
:
: 44090 (view as bug list)
Depends on:
Blocks: 46171
  Show dependency treegraph
 
Reported: 2017-04-26 08:37 CEST by Daniel Tröder
Modified: 2021-11-18 16:19 CET (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.257
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017092521000643, 2018072521000467, 2021111521000364
Bug group (optional): Further conceptual development, Troubleshooting, Usability
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2017-04-26 08:37:00 CEST
+++ This bug was initially created as a clone of Bug #44090 +++

When s4 is installed, the change password module does not honor the default password policy (cn=default-settings,cn=pwhistory,cn=users,cn=policies,$ldap_base).

>> The change password module does not honor the default password policy:
> If you use Samba 4, you have to set the Samba password settings.
>> Where can this be done? Are there also UCR variables etc. for this in UCS?
>'samba-tool domain passwordsettings' or 'udm settings/sambaconfig'

The UCS PAM- and Samba-Integration should synchronize the PAM/s3/s4 password policies.
Comment 1 Daniel Tröder univentionstaff 2017-04-26 08:40:47 CEST
*** Bug 44090 has been marked as a duplicate of this bug. ***
Comment 2 Stefan Gohmann univentionstaff 2017-04-28 08:02:00 CEST
Our policy implementation defines the policies per user so you are able to define different settings for every single user. The S4 implementation defines the setting for the domain. So, we have two different concepts which are both already implemented and used.

If I remember correctly we wanted to do the following things:

1. Write a SDB article about the situation (Bug #35997)

2. Explain more about the concepts in UMC while modifying password policies or S4 settings.
Comment 3 Florian Best univentionstaff 2017-04-28 08:13:26 CEST
> > If you use Samba 4, you have to set the Samba password settings.
> >> Where can this be done? Are there also UCR variables etc. for this in UCS?
> >'samba-tool domain passwordsettings' or 'udm settings/sambaconfig'

udm settings/sambaconfig seems deprecated since UCS 2.1 and no new object of it can be added. Instead settings/sambadomain should be used. Therefore the object sambaDomainName=$WINDOWSDOMAIN,cn=samba,$ldap_base can be modified.
Comment 4 Daniel Orrego univentionstaff 2017-10-17 17:39:18 CEST
This is a bug.

And it does impair usability in key scenarios for large environments where password selfservice is a must.

To be sure: The Selfservice app does not honor the configured password policy when samba is installed. both modules, 'password change' and 'password reset' end up behaving in different (unexpected, undocumented) ways.
Comment 5 Arvid Requate univentionstaff 2017-10-24 12:43:19 CEST
Ok, this feature request is 3 years old now: Bug 35809

It would be nice, if Samba already supported Fine Grained password policies (Bug 45128), then we might be able to use them, but it doesn't.

A way I could imagine to improve the situation here, would be what Stefan already mentioned in Bug 44090 Comment 1: Patch the Samba Heimdal to check the UDM policies in a similar way as we have patched stand alone Heimdal (see Bug 22108 Comment 8, but only check the policy instead of setting the password in UDM). I think it would be worthwhile to move in that direction.
Comment 6 Dirk Schnick univentionstaff 2021-11-18 16:19:07 CET
Customer was not aware that he needs to configure password policy twice and locked out the users in samba world. Not easy to explain customers this complicated configuration in UCS.
So four and a half year old, but still relevant.