Bug 44867 - Self Service "forgot password" does not work in Active Directory domain
Self Service "forgot password" does not work in Active Directory domain
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Self Service
UCS 4.2
Other Linux
: P5 enhancement (vote)
: UCS 4.2-3-errata
Assigned To: Florian Best
Felix Botner
:
: 42354 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-27 09:34 CEST by Florian Best
Modified: 2019-01-03 15:52 CET (History)
8 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2017091421000682
Bug group (optional): External feedback
Max CVSS v3 score:


Attachments
fdb80f1e4a54eb1cad504d10f9487f563dea6d29.diff (2.02 KB, patch)
2017-09-14 20:57 CEST, Stefan Gohmann
Details | Diff
b5d259dcc6ebd0e8456bce6b24a347a2142e6407.patch (952 bytes, patch)
2017-09-15 09:28 CEST, Stefan Gohmann
Details | Diff
AD_PWD_Reset-Error.png (31.51 KB, image/png)
2017-09-15 16:46 CEST, Nico Stöckigt
Details
Delegation_PWADRESET.png (52.05 KB, image/png)
2017-09-15 17:26 CEST, Nico Stöckigt
Details
logging.patch (927 bytes, patch)
2017-09-19 08:41 CEST, Stefan Gohmann
Details | Diff
patch (2.51 KB, patch)
2017-09-19 09:04 CEST, Florian Best
Details | Diff
Difference between original and patched version (1.77 KB, patch)
2017-09-19 09:31 CEST, Stephan Hendl
Details | Diff
patch (2.60 KB, patch)
2017-10-17 12:27 CEST, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-06-27 09:34:49 CEST
The Self-Service "forgot password" functionality changes the userPassword attribute on the UCS LDAP side. This change is impossible in UCS-in-AD domains, as attributes aren't synced back to AD. Therefore "forgot password" is currently not possible with UCS-in-AD domains.

Is there any technical way we can set a new password on AD side? Do we have administrational credentials for the AD on UCS side?
Comment 2 Stefan Gohmann univentionstaff 2017-09-14 20:55:18 CEST
I've added a first untested patch:
 https://git.knut.univention.de/univention/ucs/commit/fdb80f1e4a54eb1cad504d10f9487f563dea6d29
Comment 3 Stefan Gohmann univentionstaff 2017-09-14 20:57:28 CEST
Created attachment 9207 [details]
fdb80f1e4a54eb1cad504d10f9487f563dea6d29.diff
Comment 4 Florian Best univentionstaff 2017-09-15 08:51:14 CEST
(In reply to Stefan Gohmann from comment #2)
> I've added a first untested patch:
>  https://git.knut.univention.de/univention/ucs/commit/
> fdb80f1e4a54eb1cad504d10f9487f563dea6d29

I made some code comments in gitlab.
Comment 5 Stefan Gohmann univentionstaff 2017-09-15 09:28:36 CEST
Created attachment 9208 [details]
b5d259dcc6ebd0e8456bce6b24a347a2142e6407.patch
Comment 6 Stefan Gohmann univentionstaff 2017-09-15 09:41:34 CEST
(In reply to Florian Best from comment #4)
> (In reply to Stefan Gohmann from comment #2)
> > I've added a first untested patch:
> >  https://git.knut.univention.de/univention/ucs/commit/
> > fdb80f1e4a54eb1cad504d10f9487f563dea6d29
> 
> I made some code comments in gitlab.

Feel free to commit your suggestions in the branch.
Comment 7 Florian Best univentionstaff 2017-09-15 09:50:28 CEST
done.
Comment 8 Florian Best univentionstaff 2017-09-15 13:19:07 CEST
@Nico: Please use the following patch for the customer:

https://git.knut.univention.de/univention/ucs/commit/69c737cadc1817019e96d400b2bd26592ff3a934.patch

The other patches have syntax errors, are logging passwords, etc.
Comment 9 Stefan Gohmann univentionstaff 2017-09-15 16:13:36 CEST
(In reply to Florian Best from comment #8)
> The other patches have syntax errors, are logging passwords, etc.

Thanks.

We should also add a config option to switch between ldap and ldaps. I think we can use the UCR variable connector/ad/ldap/ssl.
Comment 10 Nico Stöckigt univentionstaff 2017-09-15 16:43:23 CEST
I tried to test this in my testing environment:
10.200.42.20 (Win2k8R2 AD)
10.200.42.25 (UCS Master 4.2-2)

--

currently I see in '/var/log/univention/management-console-server.log':

15.09.17 16:35:00.595  AUTH        ( WARN    ) : Changing password failed (('Fehler beim \xc3\x84ndern des Authentifizierungstoken', 20)). Prompts: [('Current Kerberos password: ', 1), ('Geben Sie ein neues Passwort ein: ', 1), ('Geben Sie das neue Passwort erneut ein: ', 1), (': ', 3)]

-- UCR --
ad/reset/username: pwreset
ad/reset/password: /etc/ad_pwd_reset.secret

--
/etc/ad_pwd_reset.secret: ASCII text, with no line terminators
Comment 11 Nico Stöckigt univentionstaff 2017-09-15 16:46:09 CEST
Created attachment 9213 [details]
AD_PWD_Reset-Error.png
Comment 12 Stefan Gohmann univentionstaff 2017-09-15 16:52:02 CEST
You can try to set it via CLI:

eval "$(ucr shell)"

samba-tool user setpassword --username "$ad_reset_username" --password $(cat $ad_reset_password) --filter samaccountname="<USER>" --newpassword "<PASSWORD>" -H ldap://$connector_ad_ldap_host
Comment 13 Nico Stöckigt univentionstaff 2017-09-15 17:23:09 CEST
(In reply to Stefan Gohmann from comment #12)
> You can try to set it via CLI:
> 
> eval "$(ucr shell)"
> 
> samba-tool user setpassword --username "$ad_reset_username" --password $(cat
> $ad_reset_password) --filter samaccountname="<USER>" --newpassword
> "<PASSWORD>" -H ldap://$connector_ad_ldap_host

---8<---
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 237
Received smb_krb5 packet of length 106
kinit for pwreset@UNIVENTION.ACTIVE succeeded
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
ERROR: Failed to set password for user 'samaccountname=tim.taylor': (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <0000052D: SvcErr: DSID-031A1248, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 825, in run
    username=username)
  File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 520, in setpassword
    self.modify_ldif(setpw)
  File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 236, in modify_ldif
    self.modify(msg, controls)
Comment 14 Nico Stöckigt univentionstaff 2017-09-15 17:26:58 CEST
Created attachment 9214 [details]
Delegation_PWADRESET.png
Comment 15 Nico Stöckigt univentionstaff 2017-09-15 17:41:48 CEST
Ok, we figured out that the problem was clearly the new password - it must not contain a '!':

--8<--
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 252
Received smb_krb5 packet of length 106
kinit for Administrator@UNIVENTION.ACTIVE succeeded
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
Changed password OK

So with my test I can confirm that the Patch works! GREAT!
Comment 16 Nico Stöckigt univentionstaff 2017-09-18 11:12:16 CEST
everything works but there is a Traceback about Logging which, in the first view, is irritaing.
---
root@ucs:~# tail -f /var/log/univention/management-console-module-passwordreset.log
18.09.17 07:55:02.326  DEBUG_INIT
18.09.17 07:55:03.996  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'No                                                             ne' is disabled.
18.09.17 07:55:04.002  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is                                                              disabled.
18.09.17 07:55:04.013  MODULE      ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending me                                                             thod 'email'.
18.09.17 07:55:04.019  MODULE      ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': u                                                             dm_property: 'PasswordRecoveryEmail' token_length: '64'
18.09.17 07:55:10.883  DEBUG_INIT
18.09.17 07:55:12.149  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'None' is disabled.
18.09.17 07:55:12.155  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is disabled.
18.09.17 07:55:12.166  MODULE      ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending method 'email'.
18.09.17 07:55:12.172  MODULE      ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': udm_property: 'PasswordRecoveryEmail' token_length: '64'
18.09.17 07:55:13.615  MODULE      ( PROCESS ) : Sent mail with token to address user@domain.tld.
18.09.17 07:55:13.615  MODULE      ( PROCESS ) : Der Token wurde erfolgreich versendet.
18.09.17 07:55:41.139  DEBUG_INIT
18.09.17 07:55:42.396  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'None' is disabled.
18.09.17 07:55:42.403  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is disabled.
18.09.17 07:55:42.413  MODULE      ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending method 'email'.
18.09.17 07:55:42.419  MODULE      ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': udm_property: 'PasswordRecoveryEmail' token_length: '64'
18.09.17 07:55:44.710  MODULE      ( PROCESS ) : Die Ausführung des Kommandos passwordreset/set_password ist fehlgeschlagen:
 
Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 249, in execute
    function.__func__(self, request, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 84, in _decorator
    return func(self, request, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 161, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 318, in _response
    result = _multi_response(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 440, in _response
    return list(function(self, iterator, *nones))
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 286, in _fake_func
    yield function(self, *args)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 376, in set_password
    ret = self.udm_set_password(username, password)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 481, in udm_set_password
    return self.admember_set_password(username, password)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 469, in admember_set_password
    self.log("STDOUT: {}".format(cmd_out))
AttributeError: 'Instance' object has no attribute 'log'
Comment 17 Stephan Hendl 2017-09-19 08:14:11 CEST
The traceback is not only visible in the logs - it is also presented to the user who wants to change his password. It is difficult to explain him that there is an error shown but the systems works correctly...
Comment 18 Stefan Gohmann univentionstaff 2017-09-19 08:41:32 CEST
Created attachment 9221 [details]
logging.patch
Comment 19 Stefan Gohmann univentionstaff 2017-09-19 08:42:11 CEST
(In reply to Stephan Hendl from comment #17)
> The traceback is not only visible in the logs - it is also presented to the
> user who wants to change his password. It is difficult to explain him that
> there is an error shown but the systems works correctly...

Yes. Maybe the following patch helps:

(In reply to Stefan Gohmann from comment #18)
> Created attachment 9221 [details]
> logging.patch
Comment 20 Stephan Hendl 2017-09-19 08:55:06 CEST
Thank you! The error message is suppressed right now but the page is goinig to the "Passwort vergessen" page again and shows a red exclamation mark that the username is neccessary. A confirmation message that the password has been set correctly would be nice.
Comment 21 Stephan Hendl 2017-09-19 09:01:45 CEST
In the logfile management-console-module-passwordreset.log the complete samba-tool command with all the passwords is shown. Is it possible to suppress these lines (with an ucr-debug-variable) or at least the passwords since it is security relevant?!

19.09.17 08:50:04.523  DEBUG_INIT
19.09.17 08:50:05.853  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'None' is disabled.
19.09.17 08:50:05.859  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is disabled.
19.09.17 08:50:05.871  MODULE      ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending method 'email'.
19.09.17 08:50:05.876  MODULE      ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': udm_property: 'PasswordRecoveryEmail' token_length: '64'
19.09.17 08:50:07.472  MODULE      ( PROCESS ) : STDOUT of ['samba-tool', 'user', 'setpassword', '--username', 'selfservice', '--password', '<pwd of selservice user>', '--filter', 'samaccountname=hendl2', '--newpassword', 'new pwd of the user', '-H', 'ldap://<windows-dc>']: Changed password OK

19.09.17 08:50:07.474  MODULE      ( PROCESS ) : Ihr Passwort wurde erfolgreich geändert.
Comment 22 Florian Best univentionstaff 2017-09-19 09:04:10 CEST
Created attachment 9223 [details]
patch

If you revert the patches you can use this patch. It causes the passwords not to be logged.
Comment 23 Stephan Hendl 2017-09-19 09:12:57 CEST
This gives the following error message:

  .09.17 09:08:34.492  DEBUG_INIT
19.09.17 09:08:35.724  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendWithExternal' for sending method 'None' is disabled.
19.09.17 09:08:35.730  MODULE      ( PROCESS ) : get_plugins(): Plugin class 'SendSMS' for sending method 'mobile' is disabled.
19.09.17 09:08:35.741  MODULE      ( PROCESS ) : get_plugins(): Loaded sending plugin class 'SendEmail' for sending method 'email'.
19.09.17 09:08:35.747  MODULE      ( PROCESS ) : get_plugins(): plugin class 'SendEmail' for sending method 'email': udm_property: 'PasswordRecoveryEmail' token_length:
19.09.17 09:08:37.627  MODULE      ( PROCESS ) : Die Ausführung des Kommandos passwordreset/set_password ist fehlgeschlagen:

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 249, in execute
    function.__func__(self, request, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 84, in _decorator
    return func(self, request, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 161, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 318, in _response
    result = _multi_response(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 440, in _response
    return list(function(self, iterator, *nones))
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 286, in _fake_func
    yield function(self, *args)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 376, in set_password
    ret = self.udm_set_password(username, password)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 481, in udm_set_password
    return self.admember_set_password(username, password)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 469, in admember_set_password
    MODULE.process("STDOUT of {}: {}".format(cmd_out))
IndexError: tuple index out of range
Comment 24 Florian Best univentionstaff 2017-09-19 09:14:47 CEST
This is not the patch which I attached.
You can revert the settings by doing apt-get install --reinstall univention-self-service-passwordreset-umc && patch -p6 ....
Comment 25 Stephan Hendl 2017-09-19 09:30:55 CEST
Here is the difference between the original an the patched __init__.py - Unfortunately I cannot see any difference between this and and the patch 9223.
Comment 26 Stephan Hendl 2017-09-19 09:31:46 CEST
Created attachment 9225 [details]
Difference between original and patched version
Comment 27 Florian Best univentionstaff 2017-09-19 09:32:57 CEST
The difference in the line: MODULE.process("STDOUT of {}: {}".format(cmd_out)) is:
"of {}:"
Comment 28 Stephan Hendl 2017-09-19 09:42:29 CEST
(In reply to Florian Best from comment #27)
> The difference in the line: MODULE.process("STDOUT of {}:
> {}".format(cmd_out)) is:
> "of {}:"

OK, thanks. My fault. Works!
Comment 29 Florian Best univentionstaff 2017-10-17 12:27:01 CEST
Created attachment 9252 [details]
patch

I included the evaluation of the UCR variable "connector/ad/ldap/ldaps" in the patch, so that a ldaps:// URI is used.
Comment 30 Florian Best univentionstaff 2017-11-28 17:54:07 CET
Patch has been modified and applied. Are you okay with the UCR variable names?

univention-self-service.yaml
7fafd617f3a7 | Bug #44867: Merge branch 'fbest/44867' into 4.2-3
0590cc04ec99 | YAML Bug #44867

univention-self-service (2.0.16-9)
7fafd617f3a7 | Bug #44867: Merge branch 'fbest/44867' into 4.2-3
f72adc21f9ca | Bug #44867: Make it possible for user from Active Directory to change their password.
b26d5c289918 | Bug #44867: Fix password reset for UCS systems joined into a AD domain.
Comment 31 Stephan Hendl 2017-11-29 07:23:47 CET
I'm fine with the names and the solution.
Comment 32 Felix Botner univentionstaff 2017-11-29 17:46:01 CET


Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 250, in execute
    function.__func__(self, request, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 85, in _decorator
    return func(self, request, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 162, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 318, in _response
    result = _multi_response(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 440, in _response
    return list(function(self, iterator, *nones))
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 286, in _fake_func
    yield function(self, *args)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 377, in set_password
    ret = self.udm_set_password(username, password)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 483, in udm_set_password
    return self.admember_set_password(username, password)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 465, in admember_set_password
    with open(ucr['ad/reset/password']) as fd:
TypeError: coercing to Unicode: need string or buffer, NoneType found
Comment 33 Florian Best univentionstaff 2017-11-29 17:54:40 CET
Oh yes, ucr['foo'] returns None if the key does not exists.
Fixed in:

univention-self-service (2.0.17-13)
12224ba779a4 | Bug #44867: fix UCR usage; fix url encoding
Comment 34 Felix Botner univentionstaff 2017-11-30 12:01:19 CET
OK - reset password with ad user in member mode
OK - reset password with ucs user in member mode
OK - reset password (ucs master)
Comment 35 Arvid Requate univentionstaff 2017-12-06 15:27:46 CET
Advisory wording needed fixing:

@@ -7,8 +7,8 @@ fix: 2.0.17-14A~4.2.0.201711301428
 desc: |
  This update addresses the following issue(s):
  * Users from an Active Directory domain now can reset their password via the
-   Self Service. Therefore the UCR Variables ad/reset/username and
-   ad/reset/password needs to be set.
+   Self Service. To enable the feature, the UCR variables ad/reset/username
+   and ad/reset/password need to be set.
  * Notifications about successful password changes are shown again.
  * The creation of postgresql database and users has been moved from the
    post installation script into the joinscript.
Comment 36 Arvid Requate univentionstaff 2017-12-06 15:40:18 CET
<http://errata.software-univention.de/ucs/4.2/237.html>
Comment 37 Felix Botner univentionstaff 2019-01-03 15:52:09 CET
*** Bug 42354 has been marked as a duplicate of this bug. ***