Univention Bugzilla – Bug 47391
Password reset is not correctly synced from s4toucs if the same password is used again
Last modified: 2019-03-15 22:36:38 CET
When resetting a student's password one is forced to set a new one on next Win login. This all works like it should but for some reason the password reset is not synced back to LDAP. The attributes 'shadowMax', 'sambaPwdLastSet' and 'shadowLastChange' are not corresponding to the Samba/AD state. While in Samba/AD the user is good it is still blocked/expired in LDAP. This only takes effect when using a service which using the LDAP for authentification. The situation is easily reproducible with an UCS@school 4.3 v4 from scratch - see test environment: 10.200.42.140 Master 10.200.42.142 Slave (edu) 10.200.42.139 Win7
(In reply to Nico Stöckigt from comment #0) > When resetting a student's password one is forced to set a new one on next > Win login. This all works like it should but for some reason the password > reset is not synced back to LDAP. Do you set the same or a different password? Can you append the S4 connector logs (debug level 4)?
I missed to mention that the policy allows to re-use the old password so this behavior only occurs when the same password is re-entered. See also bug#47370.
(In reply to Nico Stöckigt from comment #2) > I missed to mention that the policy allows to re-use the old password so > this behavior only occurs when the same password is re-entered. It is the default S4 connector behavior. I'm not sure if it can be changed since it is needed to prevent sync cycles. Is the UCS@school password reset module used? In this case, the UMC module could set a random password.
Created attachment 9604 [details] listener.log
Created attachment 9605 [details] directory-logger.log
Created attachment 9606 [details] connector-s4.log
Created attachment 9607 [details] connector-s4-fnc.log
connector-s4.log says at debug level 3: ========================================================================= 24.07.2018 12:46:07,722 LDAP (INFO ): The following attributes have been changed: ['pwdLastSet', 'whenChanged', 'uSNChanged'] [...] 24.07.2018 12:46:07,763 LDAP (INFO ): password_sync_s4_to_ucs: No password change to sync to UCS ========================================================================= In that case nothing is synchronized. Attaching a patch proposal.
Created attachment 9608 [details] Bug47391_untested_proposal.patch
(In reply to Stefan Gohmann from comment #3) > Is the UCS@school password reset module used? In this case, the UMC module > could set a random password. That doesn't work since the old password must be used for the password change. I'll move it to the S4 connector.
The customer asked for an urgent fix. He needs this working til the school begins next week
Ok, I've created a branch arequate/bug47391 and commited: 72590b05a2 | Prepration: use object time instead of system time c537b235f8 | sync_to_ucs: sync pwdLastChange even if hash didn't change 01ec487dac | Refactor: move code block up for next commit 32c9cadca4 | Simplify the code a bit The result is a cleaner patch series than what I attached to Comment 9. I've tested the code manually by switching pwdLastSet to 0 and back to -1 via: ldbedit -H /var/lib/samba/private/sam.ldb cn=user1 pwdLastSet Please reopen after code review, then I'll adjust or merge to master branch.
I've decided to merge the branch to see the Jenkins test results tomorrow. 6fab78c7ba | Merge branch 'arequate/bug47391' into 4.3-1 6826812b10 | debian/changelog dd4b7bb2fe | Advisory After that I've run "Publish UCS 4.3 errata test scopes to testing".
udm ... --set pwdChangeNextLogin=1 --set overridePWHistory=1 --set password=Univention.99 UCS: dn: uid=test1,dc=four,dc=three shadowMax: 1 shadowLastChange: 17748 sambaPwdLastSet: 0 krb5PasswordEnd: 20180807000000Z Samba: # record 1 dn: CN=test1,DC=four,DC=three pwdLastSet: 131781490681974960 (INFO ): password_sync_ucs_to_s4: modlist: [(2, 'pwdLastSet', '0')] (INFO ): password_sync_s4_to_ucs: sambaPwdMustChange in modlist (set): 0 (INFO ): password_sync_s4_to_ucs: modlist: [('shadowLastChange', '17748', '0'), ('shadowMax', '1', None), ('krb5PasswordEnd', '20180807000000Z', None), ('sambaPwdMustChange', '', '0')] (INFO ): password_sync_ucs_to_s4: modlist: [(2, 'pwdLastSet', '0')] UCS: dn: uid=test1,dc=four,dc=three sambaPwdLastSet: 0 shadowLastChange: 0 sambaPwdMustChange: 0 Samba: # record 1 dn: CN=test1,DC=four,DC=three pwdLastSet: 0 i guess the shadowMax/krb5PasswordEnd to None is wrong We have another Bug in UDM which caused me some trouble during the test with a stopped connector -> udm ... --set pwdChangeNextLogin=1 --set overridePWHistory=1 --set password=Univention.99 UCS: dn: uid=test1,dc=four,dc=three shadowMax: 1 shadowLastChange: 17748 sambaPwdLastSet: 0 krb5PasswordEnd: 20180807000000Z Samba: # record 1 dn: CN=test1,DC=four,DC=three pwdLastSet: 131781521134271370 and again -> udm ... --set pwdChangeNextLogin=1 --set overridePWHistory=1 --set password=Univention.99 UCS: dn: uid=test1,dc=four,dc=three shadowLastChange: 17748 sambaPwdLastSet: 1533678716 Samba: # record 1 dn: CN=test1,DC=four,DC=three pwdLastSet: 131781521134271370
Created attachment 9623 [details] password.py.patch patch for password.py regarding shadowMax and krb5PasswordEnd
I've split off Comment 14 as Bug #47508. We both tested it and there are no real life consequences currently as UDM users/user checks shadowLastChange == 0 in addition to shadowMax.
OK - jenkins OK - samba-tool user setpassword test1 same password (INFO ): password_sync_s4_to_ucs: modlist: [('shadowLastChange', '16750', '17750'), ('sambaPwdLastSet', '1533681306', '1533681353')] (INFO ): password_sync_ucs_to_s4: modlist: [] OK - via windows with pwdChangeNextLogin=1 (INFO ): password_sync_s4_to_ucs: modlist: [('shadowLastChange', '16750', '0'), ('sambaPwdLastSet', '1533681353', '0'), ('sambaPwdMustChange', '', '0')] (INFO ): password_sync_ucs_to_s4: modlist: [(2, 'pwdLastSet', '0')] OK - pwchange during login on windows with same password (INFO ): password_sync_s4_to_ucs: modlist: [('shadowLastChange', '0', '17750'), ('sambaPwdLastSet', '0', '1533681623'), ('sambaPwdMustChange', '0', '')] (INFO ): password_sync_ucs_to_s4: modlist: [] OK - pwchange in windows different password (INFO ): password_sync_s4_to_ucs: modlist: [('sambaNTPassword', '40A0...', 'CE3...'), ('krb5Key', [...]), ('krb5KeyVersionNumber', '28', '33'), ('userPassword', '...'), ('sambaPwdLastSet', '1533681623', '1533681719')] (INFO ): password_sync_ucs_to_s4: modlist: [] OK - udm users/user modify --dn uid=test1,dc=four,dc=three --set pwdChangeNextLogin=1 --set overridePWHistory=1 --set password=Univention.99 (INFO ): password_sync_s4_to_ucs: modlist: [('shadowLastChange', '17748', '0'), ('shadowMax', '1', None), ('krb5PasswordEnd', '20180807000000Z', None), ('sambaPwdMustChange', '', '0')] (INFO ): password_sync_ucs_to_s4: modlist: [(2, 'pwdLastSet', '0')] udm users/user list --filter username=test1 | grep pwd OK - YAML
<http://errata.software-univention.de/ucs/4.3/163.html>