Univention Bugzilla – Bug 47508
password_sync_s4_to_ucs removes krb5PasswordEnd
Last modified: 2018-09-19 11:23:42 CEST
See Bug #47391 Comment 14, password_sync_s4_to_ucs removes krb5PasswordEnd. The change of Bug #47391 makes this visible. Felix an I think that this doesn't have real life consequences, but we should fix it with the next erratum. +++ This bug was initially created as a clone of Bug #47391 +++
This apparently also causes that a "Password must change" in UMC triggers a tripple-sync in S4-Connector. We should fix that too.
(In reply to Arvid Requate from comment #0) > Felix an I think that this doesn't have real life consequences, but we > should fix it with the next erratum. I've adjusted the flags to take that into account.
In Ticket #2018072521000529 we had seen, that the removal of the following attributes at a Samba/AD DC might been crucial. * Krb5PasswordEnd shadowLastChange shadowMax We should double check this in terms of this bug.
Yeah, but this but this is about the opposite situation.
I've fixed this along with Bug #47595: 1c9b6d9af5 | Don't remove shadowMax and krb5PasswordEnd and don't reset shadowLastChange to 0
I didn't pick up the first part on Felix patch proposal (Bug 47391#c15) and that caused test failure. Now I picked that part too. There was also duplicate code looking up the password expiryInterval, first via udm policies/pwhistory for sambaPwdMustChange (now removed via Bug 45282) and then again via some sort of ldapsearch for new_shadowMax / new_krb5PasswordEnd. I merged this too and this improves readability of the code. 24fc6d4923 | Don't remove krb5PasswordEnd b31b4b43aa | Advisory
OK - krb5PasswordEnd is set during password sync * if password is changed * if only pwdLastSet is set to 0 * if the same password is set OK - yaml
<http://errata.software-univention.de/ucs/4.3/237.html>