Univention Bugzilla – Bug 46387
4.3 master + 4.2 backup with s4 connector - pwdChangeNextLogin handling incorrect
Last modified: 2021-05-14 16:34:53 CEST
master 4.3 -> udm users/user create --set lastname=test1 --set password=univention --set username=test1 --set pwdChangeNextLogin=1 -> kinit test1 test1@FOUR.TWO's Password: Password has expired Your password will expire at Thu Jan 1 01:00:00 1970 Changing password New password: backup 4.2 with s4 connector -> kinit test1 test1@FOUR.TWO's Password: kinit: krb5_get_init_creds: Password has expired -> su test1 Sie müssen Ihr Passwort sofort ändern (Passwortablauf). su: Authentifizierungstoken ist nicht mehr gültig; neues erforderlich (Ignoriert) I would expect the kinit on the backup to ask for a new password.
i think this is relevant for ucs@school s4 ldif # record 1 dn: CN=test1,DC=four,DC=two objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test1 sn: test1 instanceType: 4 whenCreated: 20180223143304.0Z displayName: test1 uSNCreated: 3872 name: test1 objectGUID: 8620e05c-8026-4510-8756-c2cc6b4f7ec9 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 pwdLastSet: 0 primaryGroupID: 513 objectSid: S-1-5-21-3006362628-2186033213-1690935345-1112 accountExpires: 9223372036854775807 sAMAccountName: test1 sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=four,DC=two userAccountControl: 512 userPrincipalName: test1@FOUR.TWO lockoutTime: 0 lastLogonTimestamp: 131638699882798130 whenChanged: 20180223143308.0Z uSNChanged: 3875 lastLogon: 131638701043178900 logonCount: 2 distinguishedName: CN=test1,DC=four,DC=two openldap: dn: uid=test1,dc=four,dc=two uid: test1 krb5PrincipalName: test1@FOUR.TWO objectClass: krb5KDCEntry objectClass: person objectClass: top objectClass: inetOrgPerson objectClass: krb5Principal objectClass: organizationalPerson objectClass: univentionPWHistory objectClass: univentionMail objectClass: univentionObject objectClass: shadowAccount objectClass: sambaSamAccount objectClass: posixAccount uidNumber: 2010 sambaAcctFlags: [U ] shadowMax: 1 sambaBadPasswordCount: 0 krb5MaxLife: 86400 shadowLastChange: 17583 cn: test1 krb5PasswordEnd: 20180223000000Z userPassword:: e2NyeXB0fSQ2JDFFbUwuMFRBTWtkT0ROV28kdkliNU8zWWU0T0I5ZWhNMXJodFN tLnY4UzBHRUxqN0dZY1hTZFlSOWV2RTZjSXdmV3dqRUJ1RkZlREY4Mlp2OTIuMkxGNndmb25NSThP a1lMVW5lbC4= krb5Key:: MDehGzAZoAMCARehEgQQyqEjnUTaft+Sa8459cZdD6IYMBagAwIBA6EPBA1GT1VSLlRX T3Rlc3Qx krb5Key:: MC+hEzARoAMCAQKhCgQIW5Jd6pFG2iCiGDAWoAMCAQOhDwQNRk9VUi5UV090ZXN0MQ== krb5Key:: MDehGzAZoAMCARGhEgQQNxFH5ukr1g0K0aNyLPgO1KIYMBagAwIBA6EPBA1GT1VSLlRX T3Rlc3Qx krb5Key:: MC+hEzARoAMCAQOhCgQIW5Jd6pFG2iCiGDAWoAMCAQOhDwQNRk9VUi5UV090ZXN0MQ== krb5Key:: MEehKzApoAMCARKhIgQgfDQjqOxGAsLLxyAvUFdK8zBwbg4P1rChBIcIENWc+ASiGDAW oAMCAQOhDwQNRk9VUi5UV090ZXN0MQ== krb5Key:: MD+hIzAhoAMCARChGgQYQ6sZ49PW2V73q/gO77xAL9/ZDcEsKQi6ohgwFqADAgEDoQ8E DUZPVVIuVFdPdGVzdDE= krb5Key:: MC+hEzARoAMCAQGhCgQIW5Jd6pFG2iCiGDAWoAMCAQOhDwQNRk9VUi5UV090ZXN0MQ== krb5MaxRenew: 604800 krb5KeyVersionNumber: 1 sambaBadPasswordTime: 0 loginShell: /bin/bash univentionObjectType: users/user krb5KDCFlags: 126 sambaPwdLastSet: 0 sambaPasswordHistory: 4568E62BE71F0AC9D3A545859C0B79281964ED5F7B1CB6CCEE9D174C D34BDDF6 sambaNTPassword: CAA1239D44DA7EDF926BCE39F5C65D0F displayName: test1 gecos: test1 sn: test1 pwhistory: $6$5zg1OqH0BS8Ub9p4$AknfClhjopFpaTGzCffdKbX2NSHL58tG/4UkR/2CfBl7Dtr b5o7voFXqrjgIIrbxk/3uh7VPWpcvV3N3LSAuf. homeDirectory: /home/test1 gidNumber: 5001 sambaPrimaryGroupSID: S-1-5-21-3006362628-2186033213-1690935345-513 sambaSID: S-1-5-21-3006362628-2186033213-1690935345-1112
disabled=1 seems to work master -> udm users/user create --set lastname=test3 --set password=univention --set username=test3 --set disabled=1 backup -> kinit test3 test3@FOUR.TWO's Password: kinit: krb5_get_init_creds: Clients credentials have been revoked
just tested with a windows 7 client, created a user with pwdChangeNextLogin=1 and despite -> kinit test3 test3@FOUR.TWO's Password: kinit: krb5_get_init_creds: Password has expired the windows logon asks for a new password (because the password is expired). So everything ok.
But, creating a user on the old backup with -> samba-tool user create test4 --must-change-at-next-login does not result in a "passwordexpiry=1" user on the new master. -> udm users/user list --filter username=test4| grep -i pwdCh pwdChangeNextLogin: None # s4 object dn: CN=test4,CN=Users,DC=four,DC=two objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test4 instanceType: 4 whenCreated: 20180223211615.0Z uSNCreated: 3920 name: test4 objectGUID: ac9faf25-0eaf-4d51-a2a1-fc26e2a2f131 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-3006362628-2186033213-1690935345-1116 accountExpires: 9223372036854775807 sAMAccountName: test4 sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=four,DC=two pwdLastSet: 0 userAccountControl: 512 displayName: none sn: none userPrincipalName: test4@FOUR.TWO lastLogonTimestamp: 131638944194995190 whenChanged: 20180223212019.0Z uSNChanged: 3926 lastLogon: 131638947834121000 logonCount: 3 distinguishedName: CN=test4,CN=Users,DC=four,DC=two # ucs dn: uid=test4,cn=users,dc=four,dc=two uid: test4 krb5PrincipalName: test4@FOUR.TWO objectClass: krb5KDCEntry objectClass: person objectClass: automount objectClass: top objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: organizationalPerson objectClass: univentionPWHistory objectClass: univentionMail objectClass: univentionObject objectClass: shadowAccount objectClass: krb5Principal objectClass: posixAccount uidNumber: 2014 sambaAcctFlags: [U ] sambaPasswordHistory: 30F22179178C233E2B0EFE6479B4962152CD1E918FC9B808671471A5 3DA99D66 krb5MaxLife: 86400 cn: none krb5MaxRenew: 604800 loginShell: /bin/bash univentionObjectType: users/user krb5KDCFlags: 126 displayName: none sambaSID: S-1-5-21-3006362628-2186033213-1690935345-1116 gecos: none sn: none pwhistory: $6$xoCJaGu0aH0q4C7K$8f2nHTxNfVf1t.3oRVuUNXddFKR1AcekWCqMGopS7Zxu40O PMiC3uMWYpuy4kdOBhjYXdNfwvUD2tnIIwZ6Z/1 homeDirectory: /home/test4 gidNumber: 5001 sambaPrimaryGroupSID: S-1-5-21-3006362628-2186033213-1690935345-513 sambaNTPassword: 40A0558929F0F91707DBC49E4429D7ED krb5Key:: MB2hGzAZoAMCARehEgQQQKBViSnw+RcH28SeRCnX7Q== krb5Key:: MEehKzApoAMCARKhIgQgg7+DFZiUYTSPXE4OQQ1Jq4hpEW2o/ngFpCrmZ/VXzFiiGDAW oAMCAQOhDwQNRk9VUi5UV090ZXN0NA== krb5Key:: MDehGzAZoAMCARGhEgQQZHbumPc+sWexqq13Bt/VTqIYMBagAwIBA6EPBA1GT1VSLlRX T3Rlc3Q0 krb5Key:: MC+hEzARoAMCAQOhCgQIRfTcYVQO44CiGDAWoAMCAQOhDwQNRk9VUi5UV090ZXN0NA== krb5Key:: MC+hEzARoAMCAQGhCgQIRfTcYVQO44CiGDAWoAMCAQOhDwQNRk9VUi5UV090ZXN0NA== krb5KeyVersionNumber: 2 userPassword:: e0s1S0VZfQ== shadowLastChange: 17585 sambaPwdLastSet: 0 sambaPwdMustChange: 0 i think shadowLastChange=0 is missing
(In reply to Felix Botner from comment #4) > But, creating a user on the old backup with > > -> samba-tool user create test4 --must-change-at-next-login > > does not result in a "passwordexpiry=1" user on the new master. > > > -> udm users/user list --filter username=test4| grep -i pwdCh > pwdChangeNextLogin: None > > # s4 object > dn: CN=test4,CN=Users,DC=four,DC=two > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: test4 > instanceType: 4 > whenCreated: 20180223211615.0Z > uSNCreated: 3920 > name: test4 > objectGUID: ac9faf25-0eaf-4d51-a2a1-fc26e2a2f131 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-3006362628-2186033213-1690935345-1116 > accountExpires: 9223372036854775807 > sAMAccountName: test4 > sAMAccountType: 805306368 > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=four,DC=two > pwdLastSet: 0 > userAccountControl: 512 > displayName: none > sn: none > userPrincipalName: test4@FOUR.TWO > lastLogonTimestamp: 131638944194995190 > whenChanged: 20180223212019.0Z > uSNChanged: 3926 > lastLogon: 131638947834121000 > logonCount: 3 > distinguishedName: CN=test4,CN=Users,DC=four,DC=two > > > # ucs > dn: uid=test4,cn=users,dc=four,dc=two > uid: test4 > krb5PrincipalName: test4@FOUR.TWO > objectClass: krb5KDCEntry > objectClass: person > objectClass: automount > objectClass: top > objectClass: inetOrgPerson > objectClass: sambaSamAccount > objectClass: organizationalPerson > objectClass: univentionPWHistory > objectClass: univentionMail > objectClass: univentionObject > objectClass: shadowAccount > objectClass: krb5Principal > objectClass: posixAccount > uidNumber: 2014 > sambaAcctFlags: [U ] > sambaPasswordHistory: > 30F22179178C233E2B0EFE6479B4962152CD1E918FC9B808671471A5 > 3DA99D66 > krb5MaxLife: 86400 > cn: none > krb5MaxRenew: 604800 > loginShell: /bin/bash > univentionObjectType: users/user > krb5KDCFlags: 126 > displayName: none > sambaSID: S-1-5-21-3006362628-2186033213-1690935345-1116 > gecos: none > sn: none > pwhistory: > $6$xoCJaGu0aH0q4C7K$8f2nHTxNfVf1t.3oRVuUNXddFKR1AcekWCqMGopS7Zxu40O > PMiC3uMWYpuy4kdOBhjYXdNfwvUD2tnIIwZ6Z/1 > homeDirectory: /home/test4 > gidNumber: 5001 > sambaPrimaryGroupSID: S-1-5-21-3006362628-2186033213-1690935345-513 > sambaNTPassword: 40A0558929F0F91707DBC49E4429D7ED > krb5Key:: MB2hGzAZoAMCARehEgQQQKBViSnw+RcH28SeRCnX7Q== > krb5Key:: > MEehKzApoAMCARKhIgQgg7+DFZiUYTSPXE4OQQ1Jq4hpEW2o/ngFpCrmZ/VXzFiiGDAW > oAMCAQOhDwQNRk9VUi5UV090ZXN0NA== > krb5Key:: > MDehGzAZoAMCARGhEgQQZHbumPc+sWexqq13Bt/VTqIYMBagAwIBA6EPBA1GT1VSLlRX > T3Rlc3Q0 > krb5Key:: > MC+hEzARoAMCAQOhCgQIRfTcYVQO44CiGDAWoAMCAQOhDwQNRk9VUi5UV090ZXN0NA== > krb5Key:: > MC+hEzARoAMCAQGhCgQIRfTcYVQO44CiGDAWoAMCAQOhDwQNRk9VUi5UV090ZXN0NA== > krb5KeyVersionNumber: 2 > userPassword:: e0s1S0VZfQ== > shadowLastChange: 17585 > sambaPwdLastSet: 0 > sambaPwdMustChange: 0 > > > i think shadowLastChange=0 is missing Yes, we should consider to change it. Since it is the same behavior as in UCS 4.2, we move it to a later point. UCS 4.2: root@master421:~# samba-tool user create testuser Univention.99 --must-change-at-next-login User 'testuser' created successfully root@master421:~# kinit testuser testuser@DEADLOCK42.INTRANET's Password: kinit: krb5_get_init_creds: Password has expired root@master421:~# udm users/user list --filter uid=testuser | grep -i pwd pwdChangeNextLogin: None root@master421:~#
This issue has been filed against UCS 4.3. UCS 4.3 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.