Univention Bugzilla – Bug 44867
Self Service "forgot password" does not work in Active Directory domain
Last modified: 2019-01-03 15:52:09 CET
The Self-Service "forgot password" functionality changes the userPassword attribute on the UCS LDAP side. This change is impossible in UCS-in-AD domains, as attributes aren't synced back to AD. Therefore "forgot password" is currently not possible with UCS-in-AD domains. Is there any technical way we can set a new password on AD side? Do we have administrational credentials for the AD on UCS side?
https://help.univention.com/t/self-service-funktioniert-nur-zum-teil/6035
I've added a first untested patch: https://git.knut.univention.de/univention/ucs/commit/fdb80f1e4a54eb1cad504d10f9487f563dea6d29
Created attachment 9207 [details] fdb80f1e4a54eb1cad504d10f9487f563dea6d29.diff
(In reply to Stefan Gohmann from comment #2) > I've added a first untested patch: > https://git.knut.univention.de/univention/ucs/commit/ > fdb80f1e4a54eb1cad504d10f9487f563dea6d29 I made some code comments in gitlab.
Created attachment 9208 [details] b5d259dcc6ebd0e8456bce6b24a347a2142e6407.patch
(In reply to Florian Best from comment #4) > (In reply to Stefan Gohmann from comment #2) > > I've added a first untested patch: > > https://git.knut.univention.de/univention/ucs/commit/ > > fdb80f1e4a54eb1cad504d10f9487f563dea6d29 > > I made some code comments in gitlab. Feel free to commit your suggestions in the branch.
done.
@Nico: Please use the following patch for the customer: https://git.knut.univention.de/univention/ucs/commit/69c737cadc1817019e96d400b2bd26592ff3a934.patch The other patches have syntax errors, are logging passwords, etc.
(In reply to Florian Best from comment #8) > The other patches have syntax errors, are logging passwords, etc. Thanks. We should also add a config option to switch between ldap and ldaps. I think we can use the UCR variable connector/ad/ldap/ssl.
I tried to test this in my testing environment: 10.200.42.20 (Win2k8R2 AD) 10.200.42.25 (UCS Master 4.2-2) -- currently I see in '/var/log/univention/management-console-server.log': 15.09.17 16:35:00.595 AUTH ( WARN ) : Changing password failed (('Fehler beim \xc3\x84ndern des Authentifizierungstoken', 20)). Prompts: [('Current Kerberos password: ', 1), ('Geben Sie ein neues Passwort ein: ', 1), ('Geben Sie das neue Passwort erneut ein: ', 1), (': ', 3)] -- UCR -- ad/reset/username: pwreset ad/reset/password: /etc/ad_pwd_reset.secret -- /etc/ad_pwd_reset.secret: ASCII text, with no line terminators
Created attachment 9213 [details] AD_PWD_Reset-Error.png
You can try to set it via CLI: eval "$(ucr shell)" samba-tool user setpassword --username "$ad_reset_username" --password $(cat $ad_reset_password) --filter samaccountname="<USER>" --newpassword "<PASSWORD>" -H ldap://$connector_ad_ldap_host
(In reply to Stefan Gohmann from comment #12) > You can try to set it via CLI: > > eval "$(ucr shell)" > > samba-tool user setpassword --username "$ad_reset_username" --password $(cat > $ad_reset_password) --filter samaccountname="<USER>" --newpassword > "<PASSWORD>" -H ldap://$connector_ad_ldap_host ---8<--- Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Received smb_krb5 packet of length 237 Received smb_krb5 packet of length 106 kinit for pwreset@UNIVENTION.ACTIVE succeeded gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically sealed ERROR: Failed to set password for user 'samaccountname=tim.taylor': (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1248, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>') File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 825, in run username=username) File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 520, in setpassword self.modify_ldif(setpw) File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 236, in modify_ldif self.modify(msg, controls)
Created attachment 9214 [details] Delegation_PWADRESET.png
Ok, we figured out that the problem was clearly the new password - it must not contain a '!': --8<-- Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Received smb_krb5 packet of length 252 Received smb_krb5 packet of length 106 kinit for Administrator@UNIVENTION.ACTIVE succeeded gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically sealed Changed password OK So with my test I can confirm that the Patch works! GREAT!
everything works but there is a Traceback about Logging which, in the first view, is irritaing. --- root@ucs:~# tail -f /var/log/univention/management-console-module-passwordreset.log 18.09.17 07:55:02.326 DEBUG_INIT 18.09.17 07:55:03.996 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'No ne' is disabled. 18.09.17 07:55:04.002 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is disabled. 18.09.17 07:55:04.013 MODULE ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending me thod 'email'. 18.09.17 07:55:04.019 MODULE ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': u dm_property: 'PasswordRecoveryEmail' token_length: '64' 18.09.17 07:55:10.883 DEBUG_INIT 18.09.17 07:55:12.149 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'None' is disabled. 18.09.17 07:55:12.155 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is disabled. 18.09.17 07:55:12.166 MODULE ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending method 'email'. 18.09.17 07:55:12.172 MODULE ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': udm_property: 'PasswordRecoveryEmail' token_length: '64' 18.09.17 07:55:13.615 MODULE ( PROCESS ) : Sent mail with token to address user@domain.tld. 18.09.17 07:55:13.615 MODULE ( PROCESS ) : Der Token wurde erfolgreich versendet. 18.09.17 07:55:41.139 DEBUG_INIT 18.09.17 07:55:42.396 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'None' is disabled. 18.09.17 07:55:42.403 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is disabled. 18.09.17 07:55:42.413 MODULE ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending method 'email'. 18.09.17 07:55:42.419 MODULE ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': udm_property: 'PasswordRecoveryEmail' token_length: '64' 18.09.17 07:55:44.710 MODULE ( PROCESS ) : Die Ausführung des Kommandos passwordreset/set_password ist fehlgeschlagen: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 249, in execute function.__func__(self, request, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 84, in _decorator return func(self, request, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 161, in _decorated return func(self, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 318, in _response result = _multi_response(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 440, in _response return list(function(self, iterator, *nones)) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 286, in _fake_func yield function(self, *args) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 376, in set_password ret = self.udm_set_password(username, password) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 481, in udm_set_password return self.admember_set_password(username, password) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 469, in admember_set_password self.log("STDOUT: {}".format(cmd_out)) AttributeError: 'Instance' object has no attribute 'log'
The traceback is not only visible in the logs - it is also presented to the user who wants to change his password. It is difficult to explain him that there is an error shown but the systems works correctly...
Created attachment 9221 [details] logging.patch
(In reply to Stephan Hendl from comment #17) > The traceback is not only visible in the logs - it is also presented to the > user who wants to change his password. It is difficult to explain him that > there is an error shown but the systems works correctly... Yes. Maybe the following patch helps: (In reply to Stefan Gohmann from comment #18) > Created attachment 9221 [details] > logging.patch
Thank you! The error message is suppressed right now but the page is goinig to the "Passwort vergessen" page again and shows a red exclamation mark that the username is neccessary. A confirmation message that the password has been set correctly would be nice.
In the logfile management-console-module-passwordreset.log the complete samba-tool command with all the passwords is shown. Is it possible to suppress these lines (with an ucr-debug-variable) or at least the passwords since it is security relevant?! 19.09.17 08:50:04.523 DEBUG_INIT 19.09.17 08:50:05.853 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'None' is disabled. 19.09.17 08:50:05.859 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is disabled. 19.09.17 08:50:05.871 MODULE ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending method 'email'. 19.09.17 08:50:05.876 MODULE ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': udm_property: 'PasswordRecoveryEmail' token_length: '64' 19.09.17 08:50:07.472 MODULE ( PROCESS ) : STDOUT of ['samba-tool', 'user', 'setpassword', '--username', 'selfservice', '--password', '<pwd of selservice user>', '--filter', 'samaccountname=hendl2', '--newpassword', 'new pwd of the user', '-H', 'ldap://<windows-dc>']: Changed password OK 19.09.17 08:50:07.474 MODULE ( PROCESS ) : Ihr Passwort wurde erfolgreich geändert.
Created attachment 9223 [details] patch If you revert the patches you can use this patch. It causes the passwords not to be logged.
This gives the following error message: .09.17 09:08:34.492 DEBUG_INIT 19.09.17 09:08:35.724 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'None' is disabled. 19.09.17 09:08:35.730 MODULE ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is disabled. 19.09.17 09:08:35.741 MODULE ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending method 'email'. 19.09.17 09:08:35.747 MODULE ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': udm_property: 'PasswordRecoveryEmail' token_length: 19.09.17 09:08:37.627 MODULE ( PROCESS ) : Die Ausführung des Kommandos passwordreset/set_password ist fehlgeschlagen: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 249, in execute function.__func__(self, request, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 84, in _decorator return func(self, request, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 161, in _decorated return func(self, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 318, in _response result = _multi_response(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 440, in _response return list(function(self, iterator, *nones)) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 286, in _fake_func yield function(self, *args) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 376, in set_password ret = self.udm_set_password(username, password) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 481, in udm_set_password return self.admember_set_password(username, password) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 469, in admember_set_password MODULE.process("STDOUT of {}: {}".format(cmd_out)) IndexError: tuple index out of range
This is not the patch which I attached. You can revert the settings by doing apt-get install --reinstall univention-self-service-passwordreset-umc && patch -p6 ....
Here is the difference between the original an the patched __init__.py - Unfortunately I cannot see any difference between this and and the patch 9223.
Created attachment 9225 [details] Difference between original and patched version
The difference in the line: MODULE.process("STDOUT of {}: {}".format(cmd_out)) is: "of {}:"
(In reply to Florian Best from comment #27) > The difference in the line: MODULE.process("STDOUT of {}: > {}".format(cmd_out)) is: > "of {}:" OK, thanks. My fault. Works!
Created attachment 9252 [details] patch I included the evaluation of the UCR variable "connector/ad/ldap/ldaps" in the patch, so that a ldaps:// URI is used.
Patch has been modified and applied. Are you okay with the UCR variable names? univention-self-service.yaml 7fafd617f3a7 | Bug #44867: Merge branch 'fbest/44867' into 4.2-3 0590cc04ec99 | YAML Bug #44867 univention-self-service (2.0.16-9) 7fafd617f3a7 | Bug #44867: Merge branch 'fbest/44867' into 4.2-3 f72adc21f9ca | Bug #44867: Make it possible for user from Active Directory to change their password. b26d5c289918 | Bug #44867: Fix password reset for UCS systems joined into a AD domain.
I'm fine with the names and the solution.
Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 250, in execute function.__func__(self, request, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 85, in _decorator return func(self, request, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 162, in _decorated return func(self, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 318, in _response result = _multi_response(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 440, in _response return list(function(self, iterator, *nones)) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 286, in _fake_func yield function(self, *args) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 377, in set_password ret = self.udm_set_password(username, password) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 483, in udm_set_password return self.admember_set_password(username, password) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 465, in admember_set_password with open(ucr['ad/reset/password']) as fd: TypeError: coercing to Unicode: need string or buffer, NoneType found
Oh yes, ucr['foo'] returns None if the key does not exists. Fixed in: univention-self-service (2.0.17-13) 12224ba779a4 | Bug #44867: fix UCR usage; fix url encoding
OK - reset password with ad user in member mode OK - reset password with ucs user in member mode OK - reset password (ucs master)
Advisory wording needed fixing: @@ -7,8 +7,8 @@ fix: 2.0.17-14A~4.2.0.201711301428 desc: | This update addresses the following issue(s): * Users from an Active Directory domain now can reset their password via the - Self Service. Therefore the UCR Variables ad/reset/username and - ad/reset/password needs to be set. + Self Service. To enable the feature, the UCR variables ad/reset/username + and ad/reset/password need to be set. * Notifications about successful password changes are shown again. * The creation of postgresql database and users has been moved from the post installation script into the joinscript.
<http://errata.software-univention.de/ucs/4.2/237.html>
*** Bug 42354 has been marked as a duplicate of this bug. ***