Bug 46387 - 4.3 master + 4.2 backup with s4 connector - pwdChangeNextLogin handling incorrect
4.3 master + 4.2 backup with s4 connector - pwdChangeNextLogin handling incor...
Status: RESOLVED WONTFIX
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.3
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-23 15:37 CET by Felix Botner
Modified: 2021-05-14 16:34 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.114
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2018-02-23 15:37:02 CET
master 4.3

-> udm users/user create --set lastname=test1 --set password=univention --set username=test1 --set pwdChangeNextLogin=1

-> kinit test1
test1@FOUR.TWO's Password: 
Password has expired
Your password will expire at Thu Jan  1 01:00:00 1970

Changing password
New password:

backup 4.2 with s4 connector

-> kinit test1
test1@FOUR.TWO's Password: 
kinit: krb5_get_init_creds: Password has expired

-> su test1
Sie müssen Ihr Passwort sofort ändern (Passwortablauf).
su: Authentifizierungstoken ist nicht mehr gültig; neues erforderlich
(Ignoriert)


I would expect the kinit on the backup to ask for a new password.
Comment 1 Felix Botner univentionstaff 2018-02-23 15:38:20 CET
i think this is relevant for ucs@school

s4 ldif
# record 1
dn: CN=test1,DC=four,DC=two
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test1
sn: test1
instanceType: 4
whenCreated: 20180223143304.0Z
displayName: test1
uSNCreated: 3872
name: test1
objectGUID: 8620e05c-8026-4510-8756-c2cc6b4f7ec9
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
pwdLastSet: 0
primaryGroupID: 513
objectSid: S-1-5-21-3006362628-2186033213-1690935345-1112
accountExpires: 9223372036854775807
sAMAccountName: test1
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=four,DC=two
userAccountControl: 512
userPrincipalName: test1@FOUR.TWO
lockoutTime: 0
lastLogonTimestamp: 131638699882798130
whenChanged: 20180223143308.0Z
uSNChanged: 3875
lastLogon: 131638701043178900
logonCount: 2
distinguishedName: CN=test1,DC=four,DC=two


openldap:
dn: uid=test1,dc=four,dc=two
uid: test1
krb5PrincipalName: test1@FOUR.TWO
objectClass: krb5KDCEntry
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: organizationalPerson
objectClass: univentionPWHistory
objectClass: univentionMail
objectClass: univentionObject
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: posixAccount
uidNumber: 2010
sambaAcctFlags: [U          ]
shadowMax: 1
sambaBadPasswordCount: 0
krb5MaxLife: 86400
shadowLastChange: 17583
cn: test1
krb5PasswordEnd: 20180223000000Z
userPassword:: e2NyeXB0fSQ2JDFFbUwuMFRBTWtkT0ROV28kdkliNU8zWWU0T0I5ZWhNMXJodFN
 tLnY4UzBHRUxqN0dZY1hTZFlSOWV2RTZjSXdmV3dqRUJ1RkZlREY4Mlp2OTIuMkxGNndmb25NSThP
 a1lMVW5lbC4=
krb5Key:: MDehGzAZoAMCARehEgQQyqEjnUTaft+Sa8459cZdD6IYMBagAwIBA6EPBA1GT1VSLlRX
 T3Rlc3Qx
krb5Key:: MC+hEzARoAMCAQKhCgQIW5Jd6pFG2iCiGDAWoAMCAQOhDwQNRk9VUi5UV090ZXN0MQ==
krb5Key:: MDehGzAZoAMCARGhEgQQNxFH5ukr1g0K0aNyLPgO1KIYMBagAwIBA6EPBA1GT1VSLlRX
 T3Rlc3Qx
krb5Key:: MC+hEzARoAMCAQOhCgQIW5Jd6pFG2iCiGDAWoAMCAQOhDwQNRk9VUi5UV090ZXN0MQ==
krb5Key:: MEehKzApoAMCARKhIgQgfDQjqOxGAsLLxyAvUFdK8zBwbg4P1rChBIcIENWc+ASiGDAW
 oAMCAQOhDwQNRk9VUi5UV090ZXN0MQ==
krb5Key:: MD+hIzAhoAMCARChGgQYQ6sZ49PW2V73q/gO77xAL9/ZDcEsKQi6ohgwFqADAgEDoQ8E
 DUZPVVIuVFdPdGVzdDE=
krb5Key:: MC+hEzARoAMCAQGhCgQIW5Jd6pFG2iCiGDAWoAMCAQOhDwQNRk9VUi5UV090ZXN0MQ==
krb5MaxRenew: 604800
krb5KeyVersionNumber: 1
sambaBadPasswordTime: 0
loginShell: /bin/bash
univentionObjectType: users/user
krb5KDCFlags: 126
sambaPwdLastSet: 0
sambaPasswordHistory: 4568E62BE71F0AC9D3A545859C0B79281964ED5F7B1CB6CCEE9D174C
 D34BDDF6
sambaNTPassword: CAA1239D44DA7EDF926BCE39F5C65D0F
displayName: test1
gecos: test1
sn: test1
pwhistory: $6$5zg1OqH0BS8Ub9p4$AknfClhjopFpaTGzCffdKbX2NSHL58tG/4UkR/2CfBl7Dtr
 b5o7voFXqrjgIIrbxk/3uh7VPWpcvV3N3LSAuf.
homeDirectory: /home/test1
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-3006362628-2186033213-1690935345-513
sambaSID: S-1-5-21-3006362628-2186033213-1690935345-1112
Comment 2 Felix Botner univentionstaff 2018-02-23 15:40:26 CET
disabled=1 seems to work

master
-> udm users/user create --set lastname=test3 --set password=univention --set username=test3 --set disabled=1

backup
-> kinit test3
test3@FOUR.TWO's Password: 
kinit: krb5_get_init_creds: Clients credentials have been revoked
Comment 3 Felix Botner univentionstaff 2018-02-26 11:20:27 CET
just tested with a windows 7 client, created a user with pwdChangeNextLogin=1 and despite

-> kinit test3
test3@FOUR.TWO's Password: 
kinit: krb5_get_init_creds: Password has expired

the windows logon asks for a new password (because the password is expired).

So everything ok.
Comment 4 Felix Botner univentionstaff 2018-02-26 11:45:37 CET
But, creating a user on the old backup with 

-> samba-tool user create test4 --must-change-at-next-login

does not result in a "passwordexpiry=1" user on the new master.


-> udm users/user list --filter username=test4| grep -i pwdCh
  pwdChangeNextLogin: None

# s4 object
dn: CN=test4,CN=Users,DC=four,DC=two
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test4
instanceType: 4
whenCreated: 20180223211615.0Z
uSNCreated: 3920
name: test4
objectGUID: ac9faf25-0eaf-4d51-a2a1-fc26e2a2f131
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-3006362628-2186033213-1690935345-1116
accountExpires: 9223372036854775807
sAMAccountName: test4
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=four,DC=two
pwdLastSet: 0
userAccountControl: 512
displayName: none
sn: none
userPrincipalName: test4@FOUR.TWO
lastLogonTimestamp: 131638944194995190
whenChanged: 20180223212019.0Z
uSNChanged: 3926
lastLogon: 131638947834121000
logonCount: 3
distinguishedName: CN=test4,CN=Users,DC=four,DC=two


# ucs
dn: uid=test4,cn=users,dc=four,dc=two
uid: test4
krb5PrincipalName: test4@FOUR.TWO
objectClass: krb5KDCEntry
objectClass: person
objectClass: automount
objectClass: top
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: organizationalPerson
objectClass: univentionPWHistory
objectClass: univentionMail
objectClass: univentionObject
objectClass: shadowAccount
objectClass: krb5Principal
objectClass: posixAccount
uidNumber: 2014
sambaAcctFlags: [U          ]
sambaPasswordHistory: 30F22179178C233E2B0EFE6479B4962152CD1E918FC9B808671471A5
 3DA99D66
krb5MaxLife: 86400
cn: none
krb5MaxRenew: 604800
loginShell: /bin/bash
univentionObjectType: users/user
krb5KDCFlags: 126
displayName: none
sambaSID: S-1-5-21-3006362628-2186033213-1690935345-1116
gecos: none
sn: none
pwhistory: $6$xoCJaGu0aH0q4C7K$8f2nHTxNfVf1t.3oRVuUNXddFKR1AcekWCqMGopS7Zxu40O
 PMiC3uMWYpuy4kdOBhjYXdNfwvUD2tnIIwZ6Z/1
homeDirectory: /home/test4
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-3006362628-2186033213-1690935345-513
sambaNTPassword: 40A0558929F0F91707DBC49E4429D7ED
krb5Key:: MB2hGzAZoAMCARehEgQQQKBViSnw+RcH28SeRCnX7Q==
krb5Key:: MEehKzApoAMCARKhIgQgg7+DFZiUYTSPXE4OQQ1Jq4hpEW2o/ngFpCrmZ/VXzFiiGDAW
 oAMCAQOhDwQNRk9VUi5UV090ZXN0NA==
krb5Key:: MDehGzAZoAMCARGhEgQQZHbumPc+sWexqq13Bt/VTqIYMBagAwIBA6EPBA1GT1VSLlRX
 T3Rlc3Q0
krb5Key:: MC+hEzARoAMCAQOhCgQIRfTcYVQO44CiGDAWoAMCAQOhDwQNRk9VUi5UV090ZXN0NA==
krb5Key:: MC+hEzARoAMCAQGhCgQIRfTcYVQO44CiGDAWoAMCAQOhDwQNRk9VUi5UV090ZXN0NA==
krb5KeyVersionNumber: 2
userPassword:: e0s1S0VZfQ==
shadowLastChange: 17585
sambaPwdLastSet: 0
sambaPwdMustChange: 0


i think shadowLastChange=0 is missing
Comment 5 Stefan Gohmann univentionstaff 2018-02-26 16:37:30 CET
(In reply to Felix Botner from comment #4)
> But, creating a user on the old backup with 
> 
> -> samba-tool user create test4 --must-change-at-next-login
> 
> does not result in a "passwordexpiry=1" user on the new master.
> 
> 
> -> udm users/user list --filter username=test4| grep -i pwdCh
>   pwdChangeNextLogin: None
> 
> # s4 object
> dn: CN=test4,CN=Users,DC=four,DC=two
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: test4
> instanceType: 4
> whenCreated: 20180223211615.0Z
> uSNCreated: 3920
> name: test4
> objectGUID: ac9faf25-0eaf-4d51-a2a1-fc26e2a2f131
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-3006362628-2186033213-1690935345-1116
> accountExpires: 9223372036854775807
> sAMAccountName: test4
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=four,DC=two
> pwdLastSet: 0
> userAccountControl: 512
> displayName: none
> sn: none
> userPrincipalName: test4@FOUR.TWO
> lastLogonTimestamp: 131638944194995190
> whenChanged: 20180223212019.0Z
> uSNChanged: 3926
> lastLogon: 131638947834121000
> logonCount: 3
> distinguishedName: CN=test4,CN=Users,DC=four,DC=two
> 
> 
> # ucs
> dn: uid=test4,cn=users,dc=four,dc=two
> uid: test4
> krb5PrincipalName: test4@FOUR.TWO
> objectClass: krb5KDCEntry
> objectClass: person
> objectClass: automount
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: sambaSamAccount
> objectClass: organizationalPerson
> objectClass: univentionPWHistory
> objectClass: univentionMail
> objectClass: univentionObject
> objectClass: shadowAccount
> objectClass: krb5Principal
> objectClass: posixAccount
> uidNumber: 2014
> sambaAcctFlags: [U          ]
> sambaPasswordHistory:
> 30F22179178C233E2B0EFE6479B4962152CD1E918FC9B808671471A5
>  3DA99D66
> krb5MaxLife: 86400
> cn: none
> krb5MaxRenew: 604800
> loginShell: /bin/bash
> univentionObjectType: users/user
> krb5KDCFlags: 126
> displayName: none
> sambaSID: S-1-5-21-3006362628-2186033213-1690935345-1116
> gecos: none
> sn: none
> pwhistory:
> $6$xoCJaGu0aH0q4C7K$8f2nHTxNfVf1t.3oRVuUNXddFKR1AcekWCqMGopS7Zxu40O
>  PMiC3uMWYpuy4kdOBhjYXdNfwvUD2tnIIwZ6Z/1
> homeDirectory: /home/test4
> gidNumber: 5001
> sambaPrimaryGroupSID: S-1-5-21-3006362628-2186033213-1690935345-513
> sambaNTPassword: 40A0558929F0F91707DBC49E4429D7ED
> krb5Key:: MB2hGzAZoAMCARehEgQQQKBViSnw+RcH28SeRCnX7Q==
> krb5Key::
> MEehKzApoAMCARKhIgQgg7+DFZiUYTSPXE4OQQ1Jq4hpEW2o/ngFpCrmZ/VXzFiiGDAW
>  oAMCAQOhDwQNRk9VUi5UV090ZXN0NA==
> krb5Key::
> MDehGzAZoAMCARGhEgQQZHbumPc+sWexqq13Bt/VTqIYMBagAwIBA6EPBA1GT1VSLlRX
>  T3Rlc3Q0
> krb5Key::
> MC+hEzARoAMCAQOhCgQIRfTcYVQO44CiGDAWoAMCAQOhDwQNRk9VUi5UV090ZXN0NA==
> krb5Key::
> MC+hEzARoAMCAQGhCgQIRfTcYVQO44CiGDAWoAMCAQOhDwQNRk9VUi5UV090ZXN0NA==
> krb5KeyVersionNumber: 2
> userPassword:: e0s1S0VZfQ==
> shadowLastChange: 17585
> sambaPwdLastSet: 0
> sambaPwdMustChange: 0
> 
> 
> i think shadowLastChange=0 is missing

Yes, we should consider to change it. Since it is the same behavior as in UCS 4.2, we move it to a later point.

UCS 4.2:
root@master421:~# samba-tool user create testuser Univention.99 --must-change-at-next-login 
User 'testuser' created successfully
root@master421:~# kinit testuser
testuser@DEADLOCK42.INTRANET's Password: 
kinit: krb5_get_init_creds: Password has expired
root@master421:~# udm users/user list --filter uid=testuser  | grep -i pwd
  pwdChangeNextLogin: None
root@master421:~#
Comment 6 Ingo Steuwer univentionstaff 2021-05-14 15:43:27 CEST
This issue has been filed against UCS 4.3.

UCS 4.3 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.