Bug 47508 - password_sync_s4_to_ucs removes krb5PasswordEnd
password_sync_s4_to_ucs removes krb5PasswordEnd
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Arvid Requate
Felix Botner
Depends on: 47391
Blocks: 47518
  Show dependency treegraph
Reported: 2018-08-08 12:58 CEST by Arvid Requate
Modified: 2018-09-19 11:23 CEST (History)
7 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-08-08 12:58:38 CEST
See Bug #47391 Comment 14, password_sync_s4_to_ucs  removes  krb5PasswordEnd. The change of Bug #47391 makes this visible.

Felix an I think that this doesn't have real life consequences, but we should fix it with the next erratum.

+++ This bug was initially created as a clone of Bug #47391 +++
Comment 1 Arvid Requate univentionstaff 2018-08-08 13:02:40 CEST
This apparently also causes that a "Password must change" in UMC triggers a tripple-sync in S4-Connector. We should fix that too.
Comment 2 Stefan Gohmann univentionstaff 2018-08-09 06:26:35 CEST
(In reply to Arvid Requate from comment #0)
> Felix an I think that this doesn't have real life consequences, but we
> should fix it with the next erratum.

I've adjusted the flags to take that into account.
Comment 3 Nico Stöckigt univentionstaff 2018-08-13 09:25:22 CEST
In Ticket #2018072521000529 we had seen, that the removal of the following attributes at a Samba/AD DC might been crucial.

* Krb5PasswordEnd

We should double check this in terms of this bug.
Comment 4 Arvid Requate univentionstaff 2018-08-13 12:32:14 CEST
Yeah, but this but this is about the opposite situation.
Comment 5 Arvid Requate univentionstaff 2018-09-05 00:52:55 CEST
I've fixed this along with Bug #47595:

1c9b6d9af5 | Don't remove shadowMax and krb5PasswordEnd and
             don't reset shadowLastChange to 0
Comment 6 Arvid Requate univentionstaff 2018-09-05 16:35:24 CEST
I didn't pick up the first part on Felix patch proposal (Bug 47391#c15) and that caused test failure. Now I picked that part too.

There was also duplicate code looking up the password expiryInterval, first via udm policies/pwhistory for sambaPwdMustChange (now removed via Bug 45282) and then again via some sort of ldapsearch for new_shadowMax / new_krb5PasswordEnd. I merged this too and this improves readability of the code.

24fc6d4923 | Don't remove krb5PasswordEnd
b31b4b43aa | Advisory
Comment 7 Felix Botner univentionstaff 2018-09-12 14:26:20 CEST
OK - krb5PasswordEnd is set during password sync 
 * if password is changed
 * if only pwdLastSet is set to 0
 * if the same password is set

OK - yaml
Comment 8 Philipp Hahn univentionstaff 2018-09-19 11:23:42 CEST