Univention Bugzilla – Bug 45282
S4-Connector still reads&writes deprecated sambaPwdMustChange
Last modified: 2018-09-19 11:23:41 CEST
The S4-Connector still sets sambaPwdMustChange if pwdLastSet has been changed to 0 in Samba/AD. Since this attribute is deprecated by Samba (see Bug 17890) we should remove the code from the S4-Connector.
Created attachment 9152 [details]
Something like this (untested)
This is bad because sambaPwdMustChange=0 in UCS lets the connector set pwdLastSet=0 in s4 (password expired) during every "password_sync_ucs_to_s4" (password change in UCS) until the password is changed in s4.
steps to repdroduce:
* stop connector
* change s4 password
* change pwdLastSet to 0 for s4 test user (ldbedit)
after restarting the connector password_sync_s4_to_ucs() sets sambaPwdMustChange=0 in UCS
The customer asked one year later, if something happened here.
I think it is time for the 'waiting for support' flag.
By now the customer is on Version:
UCS: 4.3-1 errata202
The URL field refers to a gitlab branch with an updated patch based on UCS 4.3-1.
Fixed along with Bug #47595:
1ada17b9b3 | password_sync_s4_to_ucs: Don't set sambaPwdMustChange
7ccc957a0c | Bug #47595 & Bug #45282: Changelog
83a2f0a248 | Bug #45282 & Bug #47595: Advisory
The attribute is still used (removed in password_sync_s4_to_ucs). I would prefer to completely remove the sambaPwdMustChange code in password_sync_s4_to_ucs and password_sync_ucs_to_s4.
(In reply to Felix Botner from comment #8)
> The attribute is still used (removed in password_sync_s4_to_ucs). I would
> prefer to completely remove the sambaPwdMustChange code in
> password_sync_s4_to_ucs and password_sync_ucs_to_s4.
That is OK, so it is removed by time. If it should be removed directly, one can use: