Univention Bugzilla – Bug 47508
password_sync_s4_to_ucs removes krb5PasswordEnd
Last modified: 2018-09-19 11:23:42 CEST
See Bug #47391 Comment 14, password_sync_s4_to_ucs removes krb5PasswordEnd. The change of Bug #47391 makes this visible.
Felix an I think that this doesn't have real life consequences, but we should fix it with the next erratum.
+++ This bug was initially created as a clone of Bug #47391 +++
This apparently also causes that a "Password must change" in UMC triggers a tripple-sync in S4-Connector. We should fix that too.
(In reply to Arvid Requate from comment #0)
> Felix an I think that this doesn't have real life consequences, but we
> should fix it with the next erratum.
I've adjusted the flags to take that into account.
In Ticket #2018072521000529 we had seen, that the removal of the following attributes at a Samba/AD DC might been crucial.
We should double check this in terms of this bug.
Yeah, but this but this is about the opposite situation.
I've fixed this along with Bug #47595:
1c9b6d9af5 | Don't remove shadowMax and krb5PasswordEnd and
don't reset shadowLastChange to 0
I didn't pick up the first part on Felix patch proposal (Bug 47391#c15) and that caused test failure. Now I picked that part too.
There was also duplicate code looking up the password expiryInterval, first via udm policies/pwhistory for sambaPwdMustChange (now removed via Bug 45282) and then again via some sort of ldapsearch for new_shadowMax / new_krb5PasswordEnd. I merged this too and this improves readability of the code.
24fc6d4923 | Don't remove krb5PasswordEnd
b31b4b43aa | Advisory
OK - krb5PasswordEnd is set during password sync
* if password is changed
* if only pwdLastSet is set to 0
* if the same password is set
OK - yaml