Bug 47391 – Password reset is not correctly synced from s4toucs if the same password is used again

Bug 47391 - Password reset is not correctly synced from s4toucs if the same password is used again


Summary:	Password reset is not correctly synced from s4toucs if the same password is u...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3-1-errata
Assigned To:	Arvid Requate
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:	47508
	Show dependency tree / graph

Reported:	2018-07-24 12:17 CEST by Nico Stöckigt
Modified:	2019-03-15 22:36 CET (History)
CC List:	7 users (show)

See Also:	47370
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.143
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:	Yes
Flags outvoted (downgraded) after PO Review:
Ticket number:	2018071821000328
Bug group (optional):
Max CVSS v3 score:

Attachments
listener.log (3.36 KB, text/x-log) 2018-07-24 12:54 CEST, Nico Stöckigt	Details
directory-logger.log (3.55 KB, text/x-log) 2018-07-24 12:55 CEST, Nico Stöckigt	Details
connector-s4.log (1.12 MB, text/x-log) 2018-07-24 12:55 CEST, Nico Stöckigt	Details
connector-s4-fnc.log (1.20 MB, text/x-log) 2018-07-24 13:03 CEST, Nico Stöckigt	Details
Bug47391_untested_proposal.patch (9.05 KB, patch) 2018-07-24 13:27 CEST, Arvid Requate	Details \| Diff
password.py.patch (2.07 KB, patch) 2018-08-08 12:32 CEST, Felix Botner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nico Stöckigt

2018-07-24 12:17:22 CEST

When resetting a student's password one is forced to set a new one on next Win login. This all works like it should but for some reason the password reset is not synced back to LDAP.
The attributes 'shadowMax', 'sambaPwdLastSet' and 'shadowLastChange' are not corresponding to the Samba/AD state. While in Samba/AD the user is good it is still blocked/expired in LDAP. This only takes effect when using a service which using the LDAP for authentification.

The situation is easily reproducible with an UCS@school 4.3 v4 from scratch - see test environment:

  10.200.42.140 Master
  10.200.42.142 Slave (edu)
  10.200.42.139 Win7

Comment 1 Stefan Gohmann

2018-07-24 12:21:47 CEST

(In reply to Nico Stöckigt from comment #0)
> When resetting a student's password one is forced to set a new one on next
> Win login. This all works like it should but for some reason the password
> reset is not synced back to LDAP.

Do you set the same or a different password? Can you append the S4 connector logs (debug level 4)?

Comment 2 Nico Stöckigt

2018-07-24 12:36:18 CEST

I missed to mention that the policy allows to re-use the old password so this behavior only occurs when the same password is re-entered.

See also bug#47370.

Comment 3 Stefan Gohmann

2018-07-24 12:50:15 CEST

(In reply to Nico Stöckigt from comment #2)
> I missed to mention that the policy allows to re-use the old password so
> this behavior only occurs when the same password is re-entered.

It is the default S4 connector behavior. I'm not sure if it can be changed since it is needed to prevent sync cycles.

Is the UCS@school password reset module used? In this case, the UMC module could set a random password.

Comment 4 Nico Stöckigt

2018-07-24 12:54:58 CEST

Created attachment 9604 [details]
listener.log

Comment 5 Nico Stöckigt

2018-07-24 12:55:25 CEST

Created attachment 9605 [details]
directory-logger.log

Comment 6 Nico Stöckigt

2018-07-24 12:55:43 CEST

Created attachment 9606 [details]
connector-s4.log

Comment 7 Nico Stöckigt

2018-07-24 13:03:55 CEST

Created attachment 9607 [details]
connector-s4-fnc.log

Comment 8 Arvid Requate

2018-07-24 13:26:43 CEST

connector-s4.log says at debug level 3:

=========================================================================
24.07.2018 12:46:07,722 LDAP        (INFO   ): The following attributes have been changed: ['pwdLastSet', 'whenChanged', 'uSNChanged']
[...]
24.07.2018 12:46:07,763 LDAP        (INFO   ): password_sync_s4_to_ucs: No password change to sync to UCS
=========================================================================

In that case nothing is synchronized. Attaching a patch proposal.

Comment 9 Arvid Requate

2018-07-24 13:27:15 CEST

Created attachment 9608 [details]
Bug47391_untested_proposal.patch

Comment 10 Stefan Gohmann

2018-07-27 06:25:03 CEST

(In reply to Stefan Gohmann from comment #3)
> Is the UCS@school password reset module used? In this case, the UMC module
> could set a random password.

That doesn't work since the old password must be used for the password change. I'll move it to the S4 connector.

Comment 11 Christina Scheinig

2018-08-02 10:06:36 CEST

The customer asked for an urgent fix. He needs this working til the school begins next week

Comment 12 Arvid Requate

2018-08-06 21:38:42 CEST

Ok, I've created a branch arequate/bug47391 and commited:

72590b05a2 | Prepration: use object time instead of system time
c537b235f8 | sync_to_ucs: sync pwdLastChange even if hash didn't change
01ec487dac | Refactor: move code block up for next commit
32c9cadca4 | Simplify the code a bit

The result is a cleaner patch series than what I attached to Comment 9.


I've tested the code manually by switching pwdLastSet to 0 and back to -1 via:

ldbedit -H /var/lib/samba/private/sam.ldb cn=user1 pwdLastSet

Please reopen after code review, then I'll adjust or merge to master branch.

Comment 13 Arvid Requate

2018-08-06 22:07:59 CEST

I've decided to merge the branch to see the Jenkins test results tomorrow.

6fab78c7ba | Merge branch 'arequate/bug47391' into 4.3-1
6826812b10 | debian/changelog
dd4b7bb2fe | Advisory

After that I've run "Publish UCS 4.3 errata test scopes to testing".

Comment 14 Felix Botner

2018-08-08 12:30:38 CEST

udm ... --set pwdChangeNextLogin=1  --set overridePWHistory=1 --set password=Univention.99


UCS:
dn: uid=test1,dc=four,dc=three
shadowMax: 1
shadowLastChange: 17748
sambaPwdLastSet: 0
krb5PasswordEnd: 20180807000000Z
Samba:
# record 1
dn: CN=test1,DC=four,DC=three
pwdLastSet: 131781490681974960

(INFO   ): password_sync_ucs_to_s4: modlist: [(2, 'pwdLastSet', '0')]
(INFO   ): password_sync_s4_to_ucs: sambaPwdMustChange in modlist (set): 0
(INFO   ): password_sync_s4_to_ucs: modlist: [('shadowLastChange', '17748', '0'), ('shadowMax', '1', None), ('krb5PasswordEnd', '20180807000000Z', None), ('sambaPwdMustChange', '', '0')]
(INFO   ): password_sync_ucs_to_s4: modlist: [(2, 'pwdLastSet', '0')]

UCS:
dn: uid=test1,dc=four,dc=three
sambaPwdLastSet: 0
shadowLastChange: 0
sambaPwdMustChange: 0
Samba:
# record 1
dn: CN=test1,DC=four,DC=three
pwdLastSet: 0

i guess the shadowMax/krb5PasswordEnd to None is wrong


We have another Bug in UDM which caused me some trouble during the test

with a stopped connector

-> udm ... --set pwdChangeNextLogin=1  --set overridePWHistory=1 --set password=Univention.99

UCS:
dn: uid=test1,dc=four,dc=three
shadowMax: 1
shadowLastChange: 17748
sambaPwdLastSet: 0
krb5PasswordEnd: 20180807000000Z
Samba:
# record 1
dn: CN=test1,DC=four,DC=three
pwdLastSet: 131781521134271370

and again

-> udm ... --set pwdChangeNextLogin=1  --set overridePWHistory=1 --set password=Univention.99

UCS:
dn: uid=test1,dc=four,dc=three
shadowLastChange: 17748
sambaPwdLastSet: 1533678716
Samba:
# record 1
dn: CN=test1,DC=four,DC=three
pwdLastSet: 131781521134271370

Comment 15 Felix Botner

2018-08-08 12:32:14 CEST

Created attachment 9623 [details]
password.py.patch

patch for password.py regarding shadowMax and krb5PasswordEnd

Comment 16 Arvid Requate

2018-08-08 13:01:05 CEST

I've split off Comment 14 as Bug #47508. We both tested it and there are no real life consequences currently as UDM users/user checks shadowLastChange == 0 in addition to shadowMax.

Comment 17 Felix Botner

2018-08-08 13:24:26 CEST

OK - jenkins
OK - samba-tool user setpassword  test1 same password

(INFO   ): password_sync_s4_to_ucs: modlist: [('shadowLastChange', '16750', '17750'), ('sambaPwdLastSet', '1533681306', '1533681353')]
(INFO   ): password_sync_ucs_to_s4: modlist: []

OK - via windows with pwdChangeNextLogin=1

(INFO   ): password_sync_s4_to_ucs: modlist: [('shadowLastChange', '16750', '0'), ('sambaPwdLastSet', '1533681353', '0'), ('sambaPwdMustChange', '', '0')]
(INFO   ): password_sync_ucs_to_s4: modlist: [(2, 'pwdLastSet', '0')]

OK - pwchange during login on windows with same password

(INFO   ): password_sync_s4_to_ucs: modlist: [('shadowLastChange', '0', '17750'), ('sambaPwdLastSet', '0', '1533681623'), ('sambaPwdMustChange', '0', '')]
(INFO   ): password_sync_ucs_to_s4: modlist: []

OK - pwchange in windows different password

(INFO   ): password_sync_s4_to_ucs: modlist: [('sambaNTPassword', '40A0...', 'CE3...'), ('krb5Key', [...]), ('krb5KeyVersionNumber', '28', '33'), ('userPassword', '...'), ('sambaPwdLastSet', '1533681623', '1533681719')]
(INFO   ): password_sync_ucs_to_s4: modlist: []

OK - udm users/user modify  --dn uid=test1,dc=four,dc=three --set pwdChangeNextLogin=1  --set overridePWHistory=1 --set password=Univention.99

(INFO   ): password_sync_s4_to_ucs: modlist: [('shadowLastChange', '17748', '0'), ('shadowMax', '1', None), ('krb5PasswordEnd', '20180807000000Z', None), ('sambaPwdMustChange', '', '0')]
(INFO   ): password_sync_ucs_to_s4: modlist: [(2, 'pwdLastSet', '0')]

udm users/user list --filter username=test1 | grep pwd

OK - YAML

Comment 18 Arvid Requate

2018-08-08 14:22:54 CEST

<http://errata.software-univention.de/ucs/4.3/163.html>