Bug 44582 – Users with only posix and samba option can't change their password via UMC

Bug 44582 - Users with only posix and samba option can't change their password via UMC


Summary:	Users with only posix and samba option can't change their password via UMC

Status:	RESOLVED DUPLICATE of bug 45842

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:	43859
Blocks:	44584
	Show dependency tree / graph

Reported:	2017-05-11 17:15 CEST by Florian Best
Modified:	2018-01-24 01:15 CET (History)
CC List:	3 users (show)

See Also:	42308 39636 32152 30838 30840 45842
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.257
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Error handling, External feedback, Usability
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2017-05-11 17:15:49 CEST

Users with only posix and samba option can't change their password via UMC.
At least the kerberos option is required so that it works.
Trying it nevertheless causes strange behavior and error messages, e.g.:

# create user with posix,samba and expired password
udm users/user create --position cn=users,dc=update,dc=test --option posix --option samba --set username=h8fulvhzub --set firstname=la89yrgujm --set lastname=vkiy57bd6w --set pwdChangeNextLogin=1 --set password=kw0bn707lq

# try to change password via UMC
curl -i -d "{\"options\":{\"username\":\"h8fulvhzub\",\"password\":\"kw0bn707lq\",\"new_password\":\"o4yrqus17x\"}}" -H "Content-Type: application/json" http://localhost/univention/auth

→ returns {"status": 401, "message": "Changing password failed. The reason could not be determined. In case it helps, the raw error message will be displayed: External password quality program failed: Traceback (most recent call last). Errorcode 20: The new password could not be set."}

The log message in /var/log/auth.log is:
Apr  1 03:20:39 master101 kpasswdd[25072]: h8fulvhzub@UPDATE.TEST didn't pass password quality check with error: External password quality program failed: Traceback (most recent call last):

→ The traceback is not printed because heimdal stripts everything after the first  '\n'.

I debugged this, which showed that the external password program is /usr/share/univention-heimdal/check_cracklib.py (configured in /etc/heimdal-kdc/kdc.conf).  This reveals the following traceback:

Traceback (most recent call last):
  File "/usr/share/univention-heimdal/check_cracklib.py", line 63, in <module>
    pwdCheck = univention.password.Check(None, params['principal'])
  File "/usr/lib/pymodules/python2.7/univention/password.py", line 53, in __init__
    self._userPolicy(username)
  File "/usr/lib/pymodules/python2.7/univention/password.py", line 90, in _userPolicy
    dn = self.lo.searchDn('krb5PrincipalName=%s' % username)[0]
IndexError: list index out of range

→ It seems pam_krb5 is invoked and tries to check the password quality for this non-kerberos-user which fails.

Another often seen error message would be:
Changing password failed. The reason could not be determined. In case it helps, the raw error message will be displayed: Errorcode 10: The authentication has failed, please login again.

+++ This bug was initially created as a clone of Bug #43859 +++

Comment 1 Florian Best

2017-05-11 17:20:11 CEST

A possible idea to solve this is to write a custom PAM module with pam-python which is only there for the password changing via UMC.

* we could remove the patched heimdal package, which adds some complexity checks
* we could remove the patched heimdal package, which adds the actual password changing via UDM
* we would have the password quality check at one central place
* we could simplify the UMC mechanism to detect failing password changes a lot! Currently we need to parse error messages from pam_cracklib, pam_unix, pam_ldap, heimdal, pam_krb5, samba4 KDC, Active Directory Server, ….

Comment 2 Florian Best

2017-05-11 17:44:03 CEST

The same applies to users with only LDAP / Simple authentication account → Bug #42308, Bug #39636. This is also customer feedback.

Comment 3 Florian Best

2018-01-24 00:34:55 CET

The signature changed in UCS 4.3:

Changing password failed. The reason could not be determined. In case it helps, the raw error message will be displayed: external program failed:

Traceback (most recent call last):
   File "/usr/share/univention-heimdal/check_cracklib.py", line 73, in <module>
     main()
   File "/usr/share/univention-heimdal/check_cracklib.py", line 64, in main
     pwdCheck = univention.password.Check(None, params['principal'])
   File "/usr/lib/pymodules/python2.7/univention/password.py", line 53, in __init__
     self._userPolicy(username)
   File "/usr/lib/pymodules/python2.7/univention/password.py", line 95, in _userPolicy
     raise ValueError('User was not found.')
ValueError: User was not found. Errorcode 20: The new password could not be set.

Comment 4 Florian Best

2018-01-24 01:15:30 CET

Since we are removing the user options this bug is WONTFIX.

*** This bug has been marked as a duplicate of bug 45842 ***