Bug 47508 – password_sync_s4_to_ucs removes krb5PasswordEnd

Bug 47508 - password_sync_s4_to_ucs removes krb5PasswordEnd


Summary:	password_sync_s4_to_ucs removes krb5PasswordEnd

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3-2-errata
Assigned To:	Arvid Requate
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:	47391
Blocks:	47518
	Show dependency tree / graph

Reported:	2018-08-08 12:58 CEST by Arvid Requate
Modified:	2018-09-19 11:23 CEST (History)
CC List:	7 users (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2018-08-08 12:58:38 CEST

See Bug #47391 Comment 14, password_sync_s4_to_ucs  removes  krb5PasswordEnd. The change of Bug #47391 makes this visible.

Felix an I think that this doesn't have real life consequences, but we should fix it with the next erratum.


+++ This bug was initially created as a clone of Bug #47391 +++

Comment 1 Arvid Requate

2018-08-08 13:02:40 CEST

This apparently also causes that a "Password must change" in UMC triggers a tripple-sync in S4-Connector. We should fix that too.

Comment 2 Stefan Gohmann

2018-08-09 06:26:35 CEST

(In reply to Arvid Requate from comment #0)
> Felix an I think that this doesn't have real life consequences, but we
> should fix it with the next erratum.

I've adjusted the flags to take that into account.

Comment 3 Nico Stöckigt

2018-08-13 09:25:22 CEST

In Ticket #2018072521000529 we had seen, that the removal of the following attributes at a Samba/AD DC might been crucial.

* Krb5PasswordEnd
  shadowLastChange
  shadowMax

We should double check this in terms of this bug.

Comment 4 Arvid Requate

2018-08-13 12:32:14 CEST

Yeah, but this but this is about the opposite situation.

Comment 5 Arvid Requate

2018-09-05 00:52:55 CEST

I've fixed this along with Bug #47595:

1c9b6d9af5 | Don't remove shadowMax and krb5PasswordEnd and
             don't reset shadowLastChange to 0

Comment 6 Arvid Requate

2018-09-05 16:35:24 CEST

I didn't pick up the first part on Felix patch proposal (Bug 47391#c15) and that caused test failure. Now I picked that part too.

There was also duplicate code looking up the password expiryInterval, first via udm policies/pwhistory for sambaPwdMustChange (now removed via Bug 45282) and then again via some sort of ldapsearch for new_shadowMax / new_krb5PasswordEnd. I merged this too and this improves readability of the code.


24fc6d4923 | Don't remove krb5PasswordEnd
b31b4b43aa | Advisory

Comment 7 Felix Botner

2018-09-12 14:26:20 CEST

OK - krb5PasswordEnd is set during password sync 
 * if password is changed
 * if only pwdLastSet is set to 0
 * if the same password is set

OK - yaml

Comment 8 Philipp Hahn

2018-09-19 11:23:42 CEST

<http://errata.software-univention.de/ucs/4.3/237.html>