Univention Bugzilla – Bug 44582
Users with only posix and samba option can't change their password via UMC
Last modified: 2018-01-24 01:15:30 CET
Users with only posix and samba option can't change their password via UMC. At least the kerberos option is required so that it works. Trying it nevertheless causes strange behavior and error messages, e.g.: # create user with posix,samba and expired password udm users/user create --position cn=users,dc=update,dc=test --option posix --option samba --set username=h8fulvhzub --set firstname=la89yrgujm --set lastname=vkiy57bd6w --set pwdChangeNextLogin=1 --set password=kw0bn707lq # try to change password via UMC curl -i -d "{\"options\":{\"username\":\"h8fulvhzub\",\"password\":\"kw0bn707lq\",\"new_password\":\"o4yrqus17x\"}}" -H "Content-Type: application/json" http://localhost/univention/auth → returns {"status": 401, "message": "Changing password failed. The reason could not be determined. In case it helps, the raw error message will be displayed: External password quality program failed: Traceback (most recent call last). Errorcode 20: The new password could not be set."} The log message in /var/log/auth.log is: Apr 1 03:20:39 master101 kpasswdd[25072]: h8fulvhzub@UPDATE.TEST didn't pass password quality check with error: External password quality program failed: Traceback (most recent call last): → The traceback is not printed because heimdal stripts everything after the first '\n'. I debugged this, which showed that the external password program is /usr/share/univention-heimdal/check_cracklib.py (configured in /etc/heimdal-kdc/kdc.conf). This reveals the following traceback: Traceback (most recent call last): File "/usr/share/univention-heimdal/check_cracklib.py", line 63, in <module> pwdCheck = univention.password.Check(None, params['principal']) File "/usr/lib/pymodules/python2.7/univention/password.py", line 53, in __init__ self._userPolicy(username) File "/usr/lib/pymodules/python2.7/univention/password.py", line 90, in _userPolicy dn = self.lo.searchDn('krb5PrincipalName=%s' % username)[0] IndexError: list index out of range → It seems pam_krb5 is invoked and tries to check the password quality for this non-kerberos-user which fails. Another often seen error message would be: Changing password failed. The reason could not be determined. In case it helps, the raw error message will be displayed: Errorcode 10: The authentication has failed, please login again. +++ This bug was initially created as a clone of Bug #43859 +++
A possible idea to solve this is to write a custom PAM module with pam-python which is only there for the password changing via UMC. * we could remove the patched heimdal package, which adds some complexity checks * we could remove the patched heimdal package, which adds the actual password changing via UDM * we would have the password quality check at one central place * we could simplify the UMC mechanism to detect failing password changes a lot! Currently we need to parse error messages from pam_cracklib, pam_unix, pam_ldap, heimdal, pam_krb5, samba4 KDC, Active Directory Server, ….
The same applies to users with only LDAP / Simple authentication account → Bug #42308, Bug #39636. This is also customer feedback.
The signature changed in UCS 4.3: Changing password failed. The reason could not be determined. In case it helps, the raw error message will be displayed: external program failed: Traceback (most recent call last): File "/usr/share/univention-heimdal/check_cracklib.py", line 73, in <module> main() File "/usr/share/univention-heimdal/check_cracklib.py", line 64, in main pwdCheck = univention.password.Check(None, params['principal']) File "/usr/lib/pymodules/python2.7/univention/password.py", line 53, in __init__ self._userPolicy(username) File "/usr/lib/pymodules/python2.7/univention/password.py", line 95, in _userPolicy raise ValueError('User was not found.') ValueError: User was not found. Errorcode 20: The new password could not be set.
Since we are removing the user options this bug is WONTFIX. *** This bug has been marked as a duplicate of bug 45842 ***