Univention Bugzilla – Bug 51298
Sync "The user must change the password at next login"
Last modified: 2020-06-24 12:53:08 CEST
Created attachment 10363 [details] Screenshot1 Maybe a regression? 1. Created user in AD with option "The user must change the password at next login" (Screenshots 1-3). 2. user was synchronized but not the option "The user must change the password at next login" / "User must change the password at next login". I only found in the manual: "The synchronization [...] of the user option Change password at next login is done by UCS only on Samba level. https://docs.software-univention.de/handbuch-4.4.html#windows:benutzer:Besonderheiten I'm not sure if this means that the same option in the UMC will not be synchronized in the AD connector but it appears to be the case.
Created attachment 10364 [details] Screenshot2
Created attachment 10365 [details] Screenshot3
Created attachment 10366 [details] Screenshot4
Since I just visited that code: These UCR variables may affect things here (but probably are not enough): * connector/ad/password/timestamp/check * connector/ad/password/timestamp/syncreset/ucs * connector/ad/password/timestamp/syncreset/ad
ebf123f5aed9bb7eb592250acd02da57c58448e0 - ucs-test added 55_adconnector/503test_password_change_next_logon but skipped currently, please check and activate the test once the fix is done
Package: univention-ad-connector Version: 13.0.0-34A~4.4.0.202006052233 Package: ucs-test Version: 9.0.3-219A~4.4.0.202006052236 Package: univention-s4-connector Version: 13.0.2-72A~4.4.0.202006052230 -------------------------------------------------- c06383ac81 Bug #51298: Update documentation 89b0df9014 Bug #51298: yaml 2f46802eb9 Bug #51298: Merge branch 'jbremer/Bug51298_sync_pwdChangeNextLogin' into 4.4-4 8daa7f3d5c Bug #51298: Test pwdChangeNextLogin in S4Connector 1f518bb182 Bug #51298: Changelog 1c154db52f Bug #51298: extend test case d9bbd4712c Bug #51298: Sync pwdLastSet from UCS 2c9b52646b Bug #51298: actually expire password in S4 7429139d80 Bug #51298: Sync pwdLastChange in adconnector --------------------------------------------------- The pwdChangeNextLogin flag is now synced from/to AD. The password expires in Kerberos, Samba and openLDAP, the flag is shown in the UMC. In the S4-Connector the password never expired in openLDAP after syncing pwdLastSet==0 from Samba to UCS. This has been fixed too. The password expiry mechanism was never tested before, so I created a test for the S4 Connector as well. This has been merged and built on 05.06.20, the Ad Connector test ran successfully since then.
code and tests look good, but a UMC logon changes the password for ad users with pwdLastSet==0 directly, without user interaction. The new password is equal to the old, just the "user must change password" stuff is gone. create ad user with "user must change password" DN: CN=win20,CN=Users,DC=autotestwin,DC=local primaryGroupID: 513 logonCount: 0 cn: win20 countryCode: 0 dSCorePropagationData: 16010101000000.0Z objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user userPrincipalName: win20@autotestwin.local instanceType: 4 distinguishedName: CN=win20,CN=Users,DC=autotestwin,DC=local sAMAccountType: 805306368 msDS-RevealedDSAs: CN=WIN-DUA7EARHMN9,OU=Domain Controllers,DC=autotestwin,DC=local msDS-RevealedDSAs: CN=WIN-DUA7EARHMN9,OU=Domain Controllers,DC=autotestwin,DC=local msDS-RevealedDSAs: CN=WIN-DUA7EARHMN9,OU=Domain Controllers,DC=autotestwin,DC=local msDS-RevealedDSAs: CN=WIN-DUA7EARHMN9,OU=Domain Controllers,DC=autotestwin,DC=local msDS-RevealedDSAs: CN=WIN-DUA7EARHMN9,OU=Domain Controllers,DC=autotestwin,DC=local objectSid: S-1-5-21-3635031200-1553950662-1512387333-1131 whenCreated: 20200608152801.0Z uSNCreated: 13388 badPasswordTime: 0 pwdLastSet: 0 sAMAccountName: win20 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=autotestwin,DC=local objectGUID: fac20751-ee9c-40d5-9896-b063e586cbd2 whenChanged: 20200608152811.0Z badPwdCount: 0 accountExpires: 9223372036854775807 displayName: win20 name: win20 codePage: 0 userAccountControl: 512 lastLogon: 0 uSNChanged: 13401 sn: win20 givenName: win20 lastLogoff: 0 # win20, users, autotest.local dn: uid=win20,cn=users,dc=autotest,dc=local cn: win20 win20 uid: win20 krb5PrincipalName: win20@AUTOTEST.LOCAL objectClass: krb5KDCEntry objectClass: person objectClass: automount objectClass: top objectClass: inetOrgPerson objectClass: krb5Principal objectClass: organizationalPerson objectClass: univentionPWHistory objectClass: univentionMail objectClass: univentionObject objectClass: shadowAccount objectClass: sambaSamAccount objectClass: posixAccount uidNumber: 2029 sambaAcctFlags: [U ] sambaPasswordHistory: FFFA3A741CDDE03EB5196462DA5F96DF4264E580C0ECBCCE051BEBD9AC3E700F sambaBadPasswordCount: 0 krb5MaxLife: 86400 sambaBadPasswordTime: 0 krb5MaxRenew: 604800 krb5KeyVersionNumber: 1 loginShell: /bin/bash univentionObjectType: users/user krb5KDCFlags: 126 gidNumber: 5001 sambaPrimaryGroupSID: S-1-5-21-116618959-3384392643-1313457844-513 displayName: win20 sambaSID: S-1-5-21-116618959-3384392643-1313457844-5058 gecos: win20 win20 sn: win20 pwhistory: $6$1j4tickuKZ3oJKvi$s31MPjUUEslJN8MZbrdUBWJ0pif4re3z1AaH592bm3ESYC/USDOlnPXMiplsHYG.cIO6R4Wk8FKeI5MyTMIgz1 homeDirectory: /home/win20 givenName: win20 krb5Key:: MB2hGzAZoAMCARehEgQQQKBViSnw+RcH28SeRCnX7Q== userPassword:: e0s1S0VZfQ== sambaNTPassword: 40A0558929F0F91707DBC49E4429D7ED sambaPwdLastSet: 0 krb5PasswordEnd: 20200608000000Z shadowMax: 1 shadowLastChange: 18419 looks good so far, and kinit -> kinit win20 (Univention.99) win20@AUTOTEST.LOCAL's Password: **** Your password will expire at Mon Jun 8 02:00:00 2020 Changing password New password: ok, but -> umc-command -U win20 -P Univention.99 08.06.20 17:30:14.387 DEBUG_INIT Response: COMMAND data length : 249 message length: 191 --- MIMETYPE : application/json STATUS : 403 MESSAGE : Verboten ERROR : {u'traceback': None, u'command': u'handle_request_command'} RESULT : {u'status': 403, u'headers': {u'Vary': u'Content-Language', u'Content-Language': u'de-DE'}, u'message': u'Verboten', u'result': None, u'error': {u'traceback': None, u'command': u'handle_request_command'}} auth.log Jun 8 17:30:14 admember python2.7: nss_ldap: reconnecting to LDAP server... Jun 8 17:30:14 admember python2.7: nss_ldap: reconnected to LDAP server ldap://admember.autotest.local:7389 after 1 attempt Jun 8 17:30:14 admember python2.7: pam_unix(univention-management-console:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=win20 Jun 8 17:30:14 admember kpasswdd[1390]: Changing password for win20@AUTOTEST.LOCAL Jun 8 17:30:14 admember python2.7: pam_krb5(univention-management-console:auth): user win20 authenticated as win20@AUTOTEST.LOCA no kinit with old password (Univention.99) works,
Sound similar to Bug #43859, Bug #38082. So I suspect a bug in heimdal (or pam_krb5). I see the patches 4.2-0-0-ucs/1.6~rc2+dfsg-9-errata4.2-1/0200_krb5_get_init_creds_opt_set_change_password_prompt.* aren't part of our latest release anymore (because they are integrated upstream?!). Maybe anohter upstream change broke that behavior again. pam-krb5 set's the flag correctly: libpam-krb5/4.7-4/libpam-krb5-4.7/auth.c: 163 krb5_get_init_creds_opt_set_change_password_prompt(opts, 164 (config->defer_pwchange || config->fail_pwchange) ? 0 : 1); The debug output of PAM is: # PAM(1) SAML message: answer=u'Univention.99' PAM says: 'Password has expired' # PAM(4) Password has expired: answer='' PAM says: 'Your password will expire at Tue Jun 9 02:00:00 2020\n' # PAM(4) Your password will expire at Tue Jun 9 02:00:00 2020\n: answer='' PAM says: 'Changing password' # PAM(4) Changing password: answer='' # PAM(1) New password: answer=u'Univention.99' # PAM(1) Repeat new password: answer=u'Univention.99' PAM says: 'Success: Password changed\n' So, with the fix meantioned above pam shouldn't ask anymore to change the password! Because we are setting the flag defer_pwchange in /etc/pam.d/univention-management-console: auth sufficient pam_krb5.so use_first_pass defer_pwchange But I also see that we set force_pwchange in acct-mngmt (which could also be a reason?): account sufficient pam_krb5.so force_pwchange
univention-s4-connector: There seems to be an issue with the s4 connector too. create samba user with pwdLastSet=0 -> samba-tool user create --must-change-at-next-login \ --use-username-as-cn sam3 Univention.99 Now UMC logon with password change (password to univention) - the pwdLastSet=0 sync to ucs was successful But, despite the password change to "univention" kinit still wants the old password, kinit sam3 -> univention => fails kinit sam3 -> Univention.90 => OK
I created a new Bug for this "password overwriting issue" Bug #51462 This one only addresses the sync with S4/AD Connector.
univention-s4-connector OK - YAML OK - pwdLastSet sync manual tests OK - Jenkins tests OK - ucs-test univention-ad-connector OK - YAML OK - sync of pwdChangeNextLogin OK - Jenkins tests OK - ucs-test so apart from Bug #51462 everything OK, still i will not set this bug verified, just in case
Since this bug is blocked by Bug #51462, which needs a restart of the univention-management-console-server, we decided to release it with 4.4-5. I changed the Target Milestone accordingly
I added dependencies for heimdal to univention-ad-connector and univention-s4-connector. We will restart the univention-management-console-server in the postinst. This way, we can release this feature during normal errata update without having to wait for the patch level release.
OK - univention-ad-connector OK - connector ucs-test OK - manual tests OK - dependencies OK - yaml OK - univention-s4-connector OK - connector ucs-test OK - manual tests OK - dependencies OK - yaml
<http://errata.software-univention.de/ucs/4.4/636.html> <http://errata.software-univention.de/ucs/4.4/637.html>