Bug 49207 - 91univention-saml.inst fails with "Password policy error: is too simple"
91univention-saml.inst fails with "Password policy error: is too simple"
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Join (univention-join)
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-4-errata
Assigned To: Mika Westphal
Christian Castens
https://git.knut.univention.de/univen...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-01 10:36 CEST by Christina Scheinig
Modified: 2023-10-18 14:49 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.229
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019032821000494, 2021051821000638, 2023020621000341
Bug group (optional): bitesize
Max CVSS v3 score:
best: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2019-04-01 10:36:00 CEST
Caused by a very strict password policy, the 91univention-saml.inst script fails. The ucs-sso user is not created, so the 98univention-samba4-saml-kerberos.inst fails too.

RUNNING 91univention-saml.inst
2019-03-29 16:56:52.585763131+01:00 (in joinscript_init)
Not updating saml/idp/certificate/privatekey
Not updating saml/idp/certificate/certificate
Not updating saml/idp/entityID
Not updating ucs/server/sso/fqdn
File: /etc/apache2/sites-available/univention-saml.conf
Adding A record "ucs-sso 194.95.243.2" to zone in.dfn.de...
done
29.03.19 16:56:53.808  DEBUG_INIT
Password policy error: is too simple

__JOINERR__:FAILED: /usr/lib/univention-install/91univention-saml.inst
EXITCODE=3
  RUNNING 98univention-samba4-saml-kerberos.inst
2019-03-29 16:56:54.926370727+01:00 (in joinscript_init)
Waiting for user replication...
ERROR: User ucs-sso not found
ERROR: User ucs-sso not found
ERROR: User ucs-sso not found
ERROR: User ucs-sso not found
ERROR: User ucs-sso not found
ERROR: User ucs-sso not found
ERROR: User ucs-sso not found
ERROR: User ucs-sso not found
ERROR: User ucs-sso not found
ERROR: User ucs-sso not found
ERROR: User ucs-sso not found
EXITCODE=1

-----------------------------------------------------------
univention-policy-result -D $(ucr get ldap/hostdn) -y /etc/machine.secret cn=users,$(ucr get ldap/base)

Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=in,dc=dfn,dc=de
Attribute: univentionPWLength
Value: 12

Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=in,dc=dfn,dc=de
Attribute: univentionPWQualityCheck
Value: TRUE

Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=in,dc=dfn,dc=de
Attribute: univentionPWHistoryLen
Value: 3
Comment 1 Florian Best univentionstaff 2019-04-01 10:54:21 CEST
Patch available in branch fbest/49207-saml-password-complexity:

diff --git a/saml/univention-saml/91univention-saml.inst b/saml/univention-saml/91univention-saml.inst
index 4d16b3cf51..dd547a06ba 100755
--- a/saml/univention-saml/91univention-saml.inst
+++ b/saml/univention-saml/91univention-saml.inst
@@ -77,6 +77,7 @@ create_krb_apache2_user() {
 »   »   udm users/user create "$@" --ignore_exists \
 »   »   »   »   --position "cn=users,$ldap_base" \
+»   »   »   »   --set overridePWLength=1 --set overridePWHistory=1 \
 »   »   »   »   --set username="$spn_account_name" \
 »   »   »   »   --set lastname="SSO" \
 »   »   »   »   --set password="$spn_account_name_password" \
@@ -153,6 +153,8 @@ lo, po = univention.admin.uldap.getAdminConnection()
 po.setDn('cn=users,%s' % (sys.argv[2]))
 user = univention.admin.modules.get('users/ldap').object(None, lo, po)
 user.open()
+user['overridePWHistory'] = '1'
+user['overridePWLength'] = '1'
 user['username'] = 'sys-idp-user'
 user['password'] = sys.argv[1]
 user['lastname'] = 'idp-user'
Comment 2 Christina Scheinig univentionstaff 2019-04-01 11:18:55 CEST
Workaround:
The 91univention-saml.inst uses the create_machine_password function
spn_account_name_password=$(create_machine_password)

so the ucr variables 
ucr info machine/password/length
machine/password/length: <empty>
 The password for the computer account is usually automatically created and rotated. It is stored in the file /etc/machine.secret. This variable configures the length of the generated password. If the variable is unset, the password consists of 20 characters.
 Categories: service-base

and 
ucr info machine/password/complexity
machine/password/complexity: <empty>
 The machine passwords are generated with the tool pwgen. This variable configures the parameters used during generation (see 'man pwgen'). If the variable is unset, 'scn' applies.
 Categories: service-base
should be set.
Comment 3 Ingo Steuwer univentionstaff 2021-05-14 15:43:19 CEST
This issue has been filed against UCS 4.3.

UCS 4.3 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Comment 4 Christina Scheinig univentionstaff 2021-05-17 09:45:58 CEST
Should be still relevant for UCS 4.4
Comment 5 Daniel Duchon univentionstaff 2021-05-19 12:35:32 CEST
Still relevant for enterprise-customer

Please keep in mind that enabling scny for machine/password/complexity also includes special characters like " and '. These must be correctly quoted in config files such as radius.
Comment 6 Christina Scheinig univentionstaff 2023-02-06 17:16:56 CET
This also relevant in UCS5 with other joinscripts like:

RUNNING 98univention-samba4-dns.inst
2023-01-31 10:57:09.982192698+01:00 (in joinscript_init)
Waiting for RID Pool replication: done.
Password policy error: is too simple.
ERROR: could not create user account dns-primary1
**************************************************************
* ERROR: Failed to create DNS spn account. *
* Please check the samba and the s4-connector logfile.*

I set the component of this bug to join instead of saml and increased the UCS Version to ucs5
Comment 8 Mika Westphal univentionstaff 2023-08-03 15:50:02 CEST
The user creation now ignores the required password length and the password history. 

univention-saml.yaml
e8ff76bf4990 | Bug #49207: The user creation during the installation now ignores the password length and history

univention-saml (7.0.8-5)
e8ff76bf4990 | Bug #49207: The user creation during the installation now ignores the password length and history

univention-samba4.yaml
57ce48a35c1d | Bug #49207: The spn account creation now ignores the password length and history

univention-samba4 (9.0.13-3)
57ce48a35c1d | Bug #49207: The spn account creation now ignores the password length and history
Comment 9 Florian Best univentionstaff 2023-08-03 16:16:17 CEST
REOPENED: There are two errors in the code, see my remarks in the merge request.
Comment 10 Mika Westphal univentionstaff 2023-08-04 09:07:31 CEST
The user creation now ignores the required password length and the password history and now without errors.

univention-saml.yaml
a67914983acb | Bug #49207: Corrected some syntax errors in a joinscript
e8ff76bf4990 | Bug #49207: The user creation during the installation now ignores the password length and history

univention-saml (7.0.8-6)
a67914983acb | Bug #49207: Corrected some syntax errors in a joinscript

univention-saml (7.0.8-5)
e8ff76bf4990 | Bug #49207: The user creation during the installation now ignores the password length and history

univention-samba4.yaml
a67914983acb | Bug #49207: Corrected some syntax errors in a joinscript
57ce48a35c1d | Bug #49207: The spn account creation now ignores the password length and history

univention-samba4 (9.0.13-4)
a67914983acb | Bug #49207: Corrected some syntax errors in a joinscript

univention-samba4 (9.0.13-3)
57ce48a35c1d | Bug #49207: The spn account creation now ignores the password length and history
Comment 11 Christian Castens univentionstaff 2023-08-09 10:17:08 CEST
QA:
   - The spn account creation in univention-samba4 and univention-saml now ignores specific password policies (length/history):  OK
   - spn accounts are successfully created even after switching to strict password policies (which would have caused the user creation to fail before):  OK
   - advisories:  OK
   - no related tracebacks/errors in log files:  OK