Bug 45282 - S4-Connector still reads&writes deprecated sambaPwdMustChange
S4-Connector still reads&writes deprecated sambaPwdMustChange
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 2.4
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Arvid Requate
Felix Botner
https://git.knut.univention.de/univen...
:
Depends on: 20917
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-29 13:01 CEST by Arvid Requate
Modified: 2018-09-19 11:23 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.023
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Flags outvoted after Product Owner Review:
Ticket number: 2017082921000291
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+


Attachments
remove_sambaPwdMustChange.patch (5.19 KB, patch)
2017-08-29 13:02 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-08-29 13:01:53 CEST
The S4-Connector still sets sambaPwdMustChange if pwdLastSet has been changed to 0 in Samba/AD. Since this attribute is deprecated by Samba (see Bug 17890) we should remove the code from the S4-Connector.
Comment 1 Arvid Requate univentionstaff 2017-08-29 13:02:58 CEST
Created attachment 9152 [details]
remove_sambaPwdMustChange.patch

Something like this (untested)
Comment 2 Felix Botner univentionstaff 2017-08-29 15:01:34 CEST
This is bad because sambaPwdMustChange=0 in UCS lets the connector set pwdLastSet=0 in s4 (password expired) during every "password_sync_ucs_to_s4" (password change in UCS) until the password is changed in s4.

steps to repdroduce:

 * stop connector
 * change s4 password 
 * change pwdLastSet to 0 for s4 test user (ldbedit)

after restarting the connector password_sync_s4_to_ucs() sets sambaPwdMustChange=0 in UCS
Comment 3 Christina Scheinig univentionstaff 2018-08-28 12:19:37 CEST
The customer asked one year later, if something happened here.
I think it is time for the 'waiting for support' flag.

By now the customer is on Version:
UCS: 4.3-1 errata202
Comment 4 Arvid Requate univentionstaff 2018-08-29 14:11:04 CEST
The URL field refers to a gitlab branch with an updated patch based on UCS 4.3-1.
Comment 7 Arvid Requate univentionstaff 2018-09-05 00:46:10 CEST
Fixed along with Bug #47595:

1ada17b9b3 | password_sync_s4_to_ucs: Don't set sambaPwdMustChange
7ccc957a0c | Bug #47595 & Bug #45282: Changelog
83a2f0a248 | Bug #45282 & Bug #47595: Advisory
Comment 8 Felix Botner univentionstaff 2018-09-12 14:17:15 CEST
The attribute is still used (removed in password_sync_s4_to_ucs). I would prefer to completely remove the sambaPwdMustChange code in  password_sync_s4_to_ucs and password_sync_ucs_to_s4.
Comment 9 Stefan Gohmann univentionstaff 2018-09-13 11:21:45 CEST
(In reply to Felix Botner from comment #8)
> The attribute is still used (removed in password_sync_s4_to_ucs). I would
> prefer to completely remove the sambaPwdMustChange code in 
> password_sync_s4_to_ucs and password_sync_ucs_to_s4.

That is OK, so it is removed by time. If it should be removed directly, one can use:
 /usr/share/univention-directory-manager-tools/remove_sambapwdmustchange
Comment 10 Felix Botner univentionstaff 2018-09-13 11:51:23 CEST
OK
Comment 11 Philipp Hahn univentionstaff 2018-09-19 11:23:41 CEST
<http://errata.software-univention.de/ucs/4.3/237.html>