Bug 46126 - 60_umc/07_expired_password / 60_umc/105_change_expired_password_fail_reason are failing in UCS 4.3
60_umc/07_expired_password / 60_umc/105_change_expired_password_fail_reason a...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - Change password
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3
Assigned To: Jannik Ahlers
Arvid Requate
: interim-2
Depends on: 46067
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-23 23:15 CET by Florian Best
Modified: 2018-03-14 14:38 CET (History)
2 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2018-01-23 23:15:56 CET
[2018-01-21 23:40:16.965218] ### Preparation: set fresh complex password via UMC login password change dialog
(2018-01-21 23:40:18.843443) error 2018-01-21 23:40:18	 Unexpected output returned by UMC during password change: 401
(2018-01-21 23:40:18.844358) error 2018-01-21 23:40:18	 **************** Test failed above this line (110) ****************
Comment 1 Florian Best univentionstaff 2018-01-23 23:41:23 CET
The PAM stack of UMC doesn't detect a expired password anymore for a user with:
--set pwdChangeNextLogin=1 --set locked=posix.
Comment 2 Florian Best univentionstaff 2018-01-23 23:43:27 CET
/var/log/auth.log during trying to authenticate via UMC:

Jan 23 22:37:26 master110 python2.7: pam_unix(univention-management-console:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=foo
Jan 23 22:37:26 master110 kpasswdd[999]: Changing password for foo@DEV2.LOCAL
Jan 23 22:37:26 master110 kpasswdd[999]: <class 'univention.admin.uexceptions.pwalreadyused'>
Jan 23 22:37:26 master110 kpasswdd[999]: Changing password for foo@DEV2.LOCAL
Jan 23 22:37:26 master110 kpasswdd[999]: <class 'univention.admin.uexceptions.pwalreadyused'>
Jan 23 22:37:26 master110 python2.7: pam_krb5(univention-management-console:auth): authentication failure; logname=foo uid=0 euid=0 tty= ruser= rhost=
Comment 3 Florian Best univentionstaff 2018-01-24 00:10:44 CET
Let's see if "build-package-architecture-ng  -r 4.3 -p heimdal" on ladda helps.
libpam-heimdal ships pam_krb5.so which was probably build before libpam-krb5 with the patch 001-fix-detection-of-expired-password.quilt. At least the build mails say so:
libpam-krb5 04.02.2018
heimdal 08.12.2017
Comment 4 Florian Best univentionstaff 2018-01-24 00:23:06 CET
Building heimdal failed :-/
Comment 5 Florian Best univentionstaff 2018-01-24 00:24:28 CET
4 Tests in 60_umc/105_change_expired_password_fail_reason (on a System with Samba3) are also failing with the same reason.
Comment 6 Florian Best univentionstaff 2018-01-24 00:57:00 CET
When I downgrade the packages nothing changes:
apt install heimdal-clients=1.6~rc2+dfsg-9A~4.2.0.201707121211 libpam-heimdal=4.6-3+b1A~4.2.0.201706020740
Comment 7 Florian Best univentionstaff 2018-01-24 01:13:48 CET
60_umc/104_expired_password is also failing on Samba3 with the same error.
Comment 8 Florian Best univentionstaff 2018-01-24 10:26:32 CET
Rebuild of heimdal + libpam-krb5 did not help.
Comment 9 Florian Best univentionstaff 2018-01-24 11:50:50 CET
As 07_expired_password is failing every release I added more verbosity to it:

ucs-test (8.0.17-1)
3ff550e4624b | Bug #46126: enhance verbosity of 07_expired_password
Comment 10 Jannik Ahlers univentionstaff 2018-02-15 16:37:35 CET
The reason for the test to fail seems to be a defective curl statement in the test.
Comment 11 Arvid Requate univentionstaff 2018-02-15 17:10:22 CET
Ok, could you file a patch?
Comment 12 Jannik Ahlers univentionstaff 2018-02-16 15:51:03 CET
Successful build
Package: ucs-test
Version: 8.0.28-18A~4.3.0.201802161544
Branch: ucs_4.3-0
Scope: 
User: jahlers
Host: dimma.knut.univention.de

I repaired the test 60_umc/07_expired_password, I also already built it.
It still fails though, but this time probably due to a bug in ucs.
Changing of expired passwords seems to be broken, which is what both scripts test for.
Comment 13 Jannik Ahlers univentionstaff 2018-02-19 15:53:33 CET
root@ucs-4121:/usr/share/ucs-test/60_umc $ ./07_expired_password 
info 2018-02-19 15:51:42         create user jün2änht using udm-test users/user create --position=cn=users,dc=mydomain,dc=intranet --set username=jün2änht --set firstname=Max --set lastname=Muster --set organisation=firma.de_GmbH --set password=univention 
Object created: uid=jün2änht,cn=users,dc=mydomain,dc=intranet
### Preparation: Activate pwQualityCheck in policies/pwhistory
## Note: non-Samba4 DCs require this to activate univention.password.Check (for check_cracklib.py)
info 2018-02-19 15:51:43         EXECUTING: udm-test 'policies/pwhistory' modify --dn "cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=mydomain,dc=intranet" --set pwQualityCheck=TRUE
Object modified: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=mydomain,dc=intranet
info 2018-02-19 15:51:43         policies/pwhistory object default-settings modified
Create password/quality/credit/lower
Create password/quality/credit/upper
Create password/quality/credit/other
Create password/quality/credit/digits
### Preparation: simulate password expiry
info 2018-02-19 15:51:43         EXECUTING: udm-test 'users/user' modify --dn "uid=jün2änht,cn=users,dc=mydomain,dc=intranet" --set pwdChangeNextLogin=1
Object modified: uid=jün2änht,cn=users,dc=mydomain,dc=intranet
info 2018-02-19 15:51:43         users/user object jün2änht modified
debug 2018-02-19 15:51:44        Waiting for replication...
OK: replication complete (nid=3268 lid=3268)
info 2018-02-19 15:51:44         replication complete.
debug 2018-02-19 15:51:44        Waiting for postrun...
### Preparation: set fresh complex password via UMC login password change dialog
info 2018-02-19 15:52:01         Executing: curl -s -H 'Accept: application/json; q=1, */*' -H 'Accept-Language: en-US' --cookie-jar '/tmp/tmp.TugbL0fvn5' -H Content-Type:application/json -d {"options":{"username":"jün2änht","password":"univention","new_password":"Univention.1"}} http://localhost/univention/auth
info 2018-02-19 15:52:01         Response was: {"status": 401, "message": "Changing password failed. The entered password does not match the current one.", "traceback": null, "location": "http://localhost/univention/auth"}
error 2018-02-19 15:52:01        Unexpected output returned by UMC during password change: 401
error 2018-02-19 15:52:01        **************** Test failed above this line (110) ****************
Unsetting password/quality/credit/lower
Unsetting password/quality/credit/upper
Unsetting password/quality/credit/other
Unsetting password/quality/credit/digits
info 2018-02-19 15:52:01         EXECUTING: udm-test 'policies/pwhistory' modify --dn "cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=mydomain,dc=intranet" --remove pwQualityCheck
Object modified: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=mydomain,dc=intranet
info 2018-02-19 15:52:02         policies/pwhistory object default-settings modified
info 2018-02-19 15:52:02         remove user jün2änht
Object removed: uid=jün2änht,cn=users,dc=mydomain,dc=intranet
debug 2018-02-19 15:52:02        user jün2änht removed
info 2018-02-19 15:52:02         checking whether the user jün2änht is really removed
debug 2018-02-19 15:52:02        user jün2änht does not exist
Starting 1 ucs-test at 2018-02-19 15:52:02 to /dev/null
UCS 4.3-0-e0 ucs-test 8.0.28-19A~4.3.0.201802181157
Change of expired password at UMC logon (with password complexity)......................................................................................................... Test failed


Feb 19 15:52:01 ucs-4121 python2.7: pam_unix(univention-management-console:account): expired password for user jün2änht (password aged)
Feb 19 15:52:01 ucs-4121 python2.7: pam_unix(univention-management-console:chauthtok): user "jün2änht" does not exist in /etc/passwd
Feb 19 15:52:01 ucs-4121 python2.7: pam_krb5(univention-management-console:chauthtok): pam_sm_chauthtok: entry (prelim)
Feb 19 15:52:01 ucs-4121 python2.7: pam_krb5(univention-management-console:chauthtok): (user jün2änht) attempting authentication as jün2änht@MYDOMAIN.INTRANET for kadmin/changepw
Feb 19 15:52:01 ucs-4121 python2.7: pam_krb5(univention-management-console:chauthtok): (user jün2änht) krb5_get_init_creds_password: KDC policy rejects request
Feb 19 15:52:01 ucs-4121 python2.7: pam_krb5(univention-management-console:chauthtok): pam_sm_chauthtok: exit (failure)
Comment 14 Jannik Ahlers univentionstaff 2018-02-19 16:04:09 CET
changing password in umc seems to work now, but dictionary words are allowed for some reason (see bug 46131). Also the 'change password on next login' option does not reset after changing the password.
Bug 46171 seems similar as well.
Comment 15 Arvid Requate univentionstaff 2018-02-19 21:36:15 CET
I fixed 07_expired_password, which constantly failed because the reporter of this bug explicitly locked the generated test account (commit 3f4bdc3d12). After that password changes via UMC don't work any more, because the account cannot authenticate any longer for the period of lockout. Samba by default has a "Account lockout duration" of 0, which means "forever" (MS AD seems to default to 1800 seconds).

The other two test work for me (UCS 4.3 Master with Samba/AD):

60_umc/104_expired_password.py -f
60_umc/105_change_expired_password_fail_reason.py -f
Comment 16 Arvid Requate univentionstaff 2018-02-19 23:32:07 CET
Ok, I also can reproduce that 104_expired_password.py fails on a non-Samba UCS Master (and probably the 105_* check too). Strange stuff. After quite a bit of fruitless debugging I've asked Florian for advice. Somehow the password change doesn't remove the pwdChangeNextLogin=1 property (I guess that's backed by the LDAP attribute sambaPwdLastSet). I don't even see any users/user code getting executed for the UMC password change -- yet the password *is* changed.

On a Samba/AD Master it simply works, I guess the S4-Connector sets that attribute to some useful value in that case.
Comment 17 Felix Botner univentionstaff 2018-02-21 12:30:12 CET
fixed 105_change_expired_password_fail_reason.py e98850bfacefc034dfd57da0882ee1afbb50797a

the fixture enabled_password_quality_checks (which enables univentionPWQualityCheck) has not been executed and therefor the REASON_DICTIONARY failed
Comment 18 Jannik Ahlers univentionstaff 2018-02-22 13:59:56 CET
Both tests seem to work now. They both passed all recent jenkins tests and my manual tests both with and without samba.
Comment 19 Arvid Requate univentionstaff 2018-02-27 15:24:33 CET
Commit e98850bfacefc034dfd57da0882ee1afbb50797a also removed these UCR settings:

handler_set(['password/quality/credit/lower=1', 'password/quality/credit/upper=1', 'password/quality/credit/other=1', 'password/quality/credit/digits=1'])
Comment 20 Felix Botner univentionstaff 2018-02-28 09:12:17 CET
(In reply to Arvid Requate from comment #19)
> Commit e98850bfacefc034dfd57da0882ee1afbb50797a also removed these UCR
> settings:
> 
> handler_set(['password/quality/credit/lower=1',
> 'password/quality/credit/upper=1', 'password/quality/credit/other=1',
> 'password/quality/credit/digits=1'])

this handler_set stuff was in the fixture enabled_password_quality_checks(), but the fixture itself wasn't used (in 4.2-3 and before thee98850bfacefc034dfd57da0882ee1afbb50797a change)

so we removed something that wasn't used and has apperently no effect on the test (the test itself has not been modified), i think that is ok
Comment 21 Arvid Requate univentionstaff 2018-02-28 13:13:04 CET
Ah, ok.
Comment 22 Stefan Gohmann univentionstaff 2018-03-14 14:38:26 CET
UCS 4.3 has been released:
 https://docs.software-univention.de/release-notes-4.3-0-en.html
 https://docs.software-univention.de/release-notes-4.3-0-de.html

If this error occurs again, please use "Clone This Bug".