Bug 45760 - AD connector removes shadowMax and shadowLastChange on password change via samba/kerberos
AD connector removes shadowMax and shadowLastChange on password change via sa...
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.3-0-errata
Assigned To: Felix Botner
Arvid Requate
Depends on: 36317
Blocks: 36215 38494
  Show dependency treegraph
Reported: 2017-11-22 14:58 CET by Nico Stöckigt
Modified: 2018-05-16 17:03 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.069
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2017111721000181
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Nico Stöckigt univentionstaff 2017-11-22 14:58:21 CET
+++ This bug was initially created as a clone of Bug #36317 +++

The connector removes shadowMax and shadowLastChange if the password is set via Windows. 

The connector should properly set these attributes

 -> shadowLastChange  (days since 1970-01-01 00:00:00 UTC)
 -> shadowMax keep if existing
Comment 1 Florian Best univentionstaff 2017-11-22 15:08:36 CET
Does this occur again with UCS 4.2?
Comment 2 Stefan Gohmann univentionstaff 2018-03-15 06:26:24 CET
Move to 4.3-0-errata. If a UCS 4.2 backport is needed, please clone this issue.
Comment 3 Felix Botner univentionstaff 2018-05-08 12:27:44 CEST
s4 change merged to ad connector.

08.05.2018 12:25:46,570 LDAP        (INFO   ): password_sync: update shadowLastChange to 17659 for uid=fb1,cn=users,dc=w2k12,dc=test

08.05.2018 12:25:46,576 LDAP        (INFO   ): password_sync: password expiry for uid=fb1,cn=users,dc=w2k12,dc=test is {'policy': 'cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=w2k12,dc=test', 'fixed': 0, 'value': ['60']}
08.05.2018 12:25:46,576 LDAP        (INFO   ): password_sync: update shadowMax to 60 for uid=fb1,cn=users,dc=w2k12,dc=test
08.05.2018 12:25:46,577 LDAP        (INFO   ): password_sync: update krb5PasswordEnd to 20180707000000Z for uid=fb1,cn=users,dc=w2k12,dc=test
08.05.2018 12:25:46,578 LDAP        (INFO   ): password_sync: sambaPwdLastSet in modlist (replace): 1525775143

univention-ad-connector - d693c27be2fc54122fbe8aca53dba745086c6645
yaml - fab12338ae87116b6a87c034a598e2ddc79100db
Comment 4 Arvid Requate univentionstaff 2018-05-16 13:29:45 CEST
Looks good, advisory too.
Comment 5 Arvid Requate univentionstaff 2018-05-16 17:03:55 CEST