Univention Bugzilla – Bug 45282
S4-Connector still reads&writes deprecated sambaPwdMustChange
Last modified: 2018-09-19 11:23:41 CEST
The S4-Connector still sets sambaPwdMustChange if pwdLastSet has been changed to 0 in Samba/AD. Since this attribute is deprecated by Samba (see Bug 17890) we should remove the code from the S4-Connector.
Created attachment 9152 [details] remove_sambaPwdMustChange.patch Something like this (untested)
This is bad because sambaPwdMustChange=0 in UCS lets the connector set pwdLastSet=0 in s4 (password expired) during every "password_sync_ucs_to_s4" (password change in UCS) until the password is changed in s4. steps to repdroduce: * stop connector * change s4 password * change pwdLastSet to 0 for s4 test user (ldbedit) after restarting the connector password_sync_s4_to_ucs() sets sambaPwdMustChange=0 in UCS
The customer asked one year later, if something happened here. I think it is time for the 'waiting for support' flag. By now the customer is on Version: UCS: 4.3-1 errata202
The URL field refers to a gitlab branch with an updated patch based on UCS 4.3-1.
Fixed along with Bug #47595: 1ada17b9b3 | password_sync_s4_to_ucs: Don't set sambaPwdMustChange 7ccc957a0c | Bug #47595 & Bug #45282: Changelog 83a2f0a248 | Bug #45282 & Bug #47595: Advisory
The attribute is still used (removed in password_sync_s4_to_ucs). I would prefer to completely remove the sambaPwdMustChange code in password_sync_s4_to_ucs and password_sync_ucs_to_s4.
(In reply to Felix Botner from comment #8) > The attribute is still used (removed in password_sync_s4_to_ucs). I would > prefer to completely remove the sambaPwdMustChange code in > password_sync_s4_to_ucs and password_sync_ucs_to_s4. That is OK, so it is removed by time. If it should be removed directly, one can use: /usr/share/univention-directory-manager-tools/remove_sambapwdmustchange
OK
<http://errata.software-univention.de/ucs/4.3/237.html>