Bug 45282 – S4-Connector still reads&writes deprecated sambaPwdMustChange

Bug 45282 - S4-Connector still reads&writes deprecated sambaPwdMustChange


Summary:	S4-Connector still reads&writes deprecated sambaPwdMustChange

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 2.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3-2-errata
Assigned To:	Arvid Requate
QA Contact:	Felix Botner

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:	20917
Blocks:
	Show dependency tree / graph

Reported:	2017-08-29 13:01 CEST by Arvid Requate
Modified:	2018-09-19 11:23 CEST (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.023
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:	Yes
Flags outvoted (downgraded) after PO Review:
Ticket number:	2017082921000291
Bug group (optional):
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
remove_sambaPwdMustChange.patch (5.19 KB, patch) 2017-08-29 13:02 CEST, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2017-08-29 13:01:53 CEST

The S4-Connector still sets sambaPwdMustChange if pwdLastSet has been changed to 0 in Samba/AD. Since this attribute is deprecated by Samba (see Bug 17890) we should remove the code from the S4-Connector.

Comment 1 Arvid Requate

2017-08-29 13:02:58 CEST

Created attachment 9152 [details]
remove_sambaPwdMustChange.patch

Something like this (untested)

Comment 2 Felix Botner

2017-08-29 15:01:34 CEST

This is bad because sambaPwdMustChange=0 in UCS lets the connector set pwdLastSet=0 in s4 (password expired) during every "password_sync_ucs_to_s4" (password change in UCS) until the password is changed in s4.

steps to repdroduce:

 * stop connector
 * change s4 password 
 * change pwdLastSet to 0 for s4 test user (ldbedit)

after restarting the connector password_sync_s4_to_ucs() sets sambaPwdMustChange=0 in UCS

Comment 3 Christina Scheinig

2018-08-28 12:19:37 CEST

The customer asked one year later, if something happened here.
I think it is time for the 'waiting for support' flag.

By now the customer is on Version:
UCS: 4.3-1 errata202

Comment 4 Arvid Requate

2018-08-29 14:11:04 CEST

The URL field refers to a gitlab branch with an updated patch based on UCS 4.3-1.

Comment 7 Arvid Requate

2018-09-05 00:46:10 CEST

Fixed along with Bug #47595:

1ada17b9b3 | password_sync_s4_to_ucs: Don't set sambaPwdMustChange
7ccc957a0c | Bug #47595 & Bug #45282: Changelog
83a2f0a248 | Bug #45282 & Bug #47595: Advisory

Comment 8 Felix Botner

2018-09-12 14:17:15 CEST

The attribute is still used (removed in password_sync_s4_to_ucs). I would prefer to completely remove the sambaPwdMustChange code in  password_sync_s4_to_ucs and password_sync_ucs_to_s4.

Comment 9 Stefan Gohmann

2018-09-13 11:21:45 CEST

(In reply to Felix Botner from comment #8)
> The attribute is still used (removed in password_sync_s4_to_ucs). I would
> prefer to completely remove the sambaPwdMustChange code in 
> password_sync_s4_to_ucs and password_sync_ucs_to_s4.

That is OK, so it is removed by time. If it should be removed directly, one can use:
 /usr/share/univention-directory-manager-tools/remove_sambapwdmustchange

Comment 10 Felix Botner

2018-09-13 11:51:23 CEST

OK

Comment 11 Philipp Hahn

2018-09-19 11:23:41 CEST

<http://errata.software-univention.de/ucs/4.3/237.html>