Bug 51298 - Sync "The user must change the password at next login"
Sync "The user must change the password at next login"
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.4
Other Mac OS X 10.1
: P5 normal (vote)
: UCS 4.4-4-errata
Assigned To: Julia Bremer
Felix Botner
:
Depends on: 51462
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-17 20:27 CEST by Michel Smidt
Modified: 2020-06-24 12:53 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
Screenshot1 (107.28 KB, image/jpeg)
2020-05-17 20:27 CEST, Michel Smidt
Details
Screenshot2 (114.43 KB, image/jpeg)
2020-05-17 20:28 CEST, Michel Smidt
Details
Screenshot3 (110.88 KB, image/jpeg)
2020-05-17 20:29 CEST, Michel Smidt
Details
Screenshot4 (166.19 KB, image/jpeg)
2020-05-17 20:29 CEST, Michel Smidt
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michel Smidt 2020-05-17 20:27:59 CEST
Created attachment 10363 [details]
Screenshot1

Maybe a regression?
1. Created user in AD with option "The user must change the password at next login" (Screenshots 1-3).
2. user was synchronized but not the option "The user must change the password at next login" / "User must change the password at next login".

I only found in the manual: "The synchronization [...] of the user option Change password at next login is done by UCS only on Samba level. 
https://docs.software-univention.de/handbuch-4.4.html#windows:benutzer:Besonderheiten

I'm not sure if this means that the same option in the UMC will not be synchronized in the AD connector but it appears to be the case.
Comment 1 Michel Smidt 2020-05-17 20:28:32 CEST
Created attachment 10364 [details]
Screenshot2
Comment 2 Michel Smidt 2020-05-17 20:29:17 CEST
Created attachment 10365 [details]
Screenshot3
Comment 3 Michel Smidt 2020-05-17 20:29:36 CEST
Created attachment 10366 [details]
Screenshot4
Comment 4 Arvid Requate univentionstaff 2020-06-02 10:52:39 CEST
Since I just visited that code: These UCR variables may affect things here (but probably are not enough):
 
* connector/ad/password/timestamp/check
* connector/ad/password/timestamp/syncreset/ucs
* connector/ad/password/timestamp/syncreset/ad
Comment 5 Felix Botner univentionstaff 2020-06-02 16:48:40 CEST
ebf123f5aed9bb7eb592250acd02da57c58448e0 - ucs-test
added 55_adconnector/503test_password_change_next_logon 

but skipped currently, please check and activate the test once the fix is done
Comment 6 Julia Bremer univentionstaff 2020-06-08 11:52:49 CEST
Package: univention-ad-connector
Version: 13.0.0-34A~4.4.0.202006052233

Package: ucs-test
Version: 9.0.3-219A~4.4.0.202006052236

Package: univention-s4-connector
Version: 13.0.2-72A~4.4.0.202006052230

--------------------------------------------------
c06383ac81 Bug #51298: Update documentation
89b0df9014 Bug #51298: yaml
2f46802eb9 Bug #51298: Merge branch 'jbremer/Bug51298_sync_pwdChangeNextLogin' into 4.4-4
8daa7f3d5c Bug #51298: Test pwdChangeNextLogin in S4Connector
1f518bb182 Bug #51298: Changelog
1c154db52f Bug #51298: extend test case
d9bbd4712c Bug #51298: Sync pwdLastSet from UCS
2c9b52646b Bug #51298: actually expire password in S4
7429139d80 Bug #51298: Sync pwdLastChange in adconnector

---------------------------------------------------

The pwdChangeNextLogin flag is now synced from/to AD.
The password expires in Kerberos, Samba and openLDAP, the flag is shown in the UMC.

In the S4-Connector the password never expired in openLDAP after syncing pwdLastSet==0 from Samba to UCS. This has been fixed too. 
The password expiry mechanism was never tested before, so I created a test for the S4 Connector as well.

This has been merged and built on 05.06.20, the Ad Connector test ran successfully since then.
Comment 7 Felix Botner univentionstaff 2020-06-08 17:30:48 CEST
code and tests look good, but a UMC logon changes the password for ad users with pwdLastSet==0 directly, without user interaction.

The new password is equal to the old, just the "user must change password" stuff is gone.

create ad user with "user must change password"

DN: CN=win20,CN=Users,DC=autotestwin,DC=local
primaryGroupID: 513
logonCount: 0
cn: win20
countryCode: 0
dSCorePropagationData: 16010101000000.0Z
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
userPrincipalName: win20@autotestwin.local
instanceType: 4
distinguishedName: CN=win20,CN=Users,DC=autotestwin,DC=local
sAMAccountType: 805306368
msDS-RevealedDSAs: CN=WIN-DUA7EARHMN9,OU=Domain Controllers,DC=autotestwin,DC=local
msDS-RevealedDSAs: CN=WIN-DUA7EARHMN9,OU=Domain Controllers,DC=autotestwin,DC=local
msDS-RevealedDSAs: CN=WIN-DUA7EARHMN9,OU=Domain Controllers,DC=autotestwin,DC=local
msDS-RevealedDSAs: CN=WIN-DUA7EARHMN9,OU=Domain Controllers,DC=autotestwin,DC=local
msDS-RevealedDSAs: CN=WIN-DUA7EARHMN9,OU=Domain Controllers,DC=autotestwin,DC=local
objectSid: S-1-5-21-3635031200-1553950662-1512387333-1131
whenCreated: 20200608152801.0Z
uSNCreated: 13388
badPasswordTime: 0
pwdLastSet: 0
sAMAccountName: win20
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=autotestwin,DC=local
objectGUID: fac20751-ee9c-40d5-9896-b063e586cbd2
whenChanged: 20200608152811.0Z
badPwdCount: 0
accountExpires: 9223372036854775807
displayName: win20
name: win20
codePage: 0
userAccountControl: 512
lastLogon: 0
uSNChanged: 13401
sn: win20
givenName: win20
lastLogoff: 0

# win20, users, autotest.local
dn: uid=win20,cn=users,dc=autotest,dc=local
cn: win20 win20
uid: win20
krb5PrincipalName: win20@AUTOTEST.LOCAL
objectClass: krb5KDCEntry
objectClass: person
objectClass: automount
objectClass: top
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: organizationalPerson
objectClass: univentionPWHistory
objectClass: univentionMail
objectClass: univentionObject
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: posixAccount
uidNumber: 2029
sambaAcctFlags: [U          ]
sambaPasswordHistory: FFFA3A741CDDE03EB5196462DA5F96DF4264E580C0ECBCCE051BEBD9AC3E700F
sambaBadPasswordCount: 0
krb5MaxLife: 86400
sambaBadPasswordTime: 0
krb5MaxRenew: 604800
krb5KeyVersionNumber: 1
loginShell: /bin/bash
univentionObjectType: users/user
krb5KDCFlags: 126
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-116618959-3384392643-1313457844-513
displayName: win20
sambaSID: S-1-5-21-116618959-3384392643-1313457844-5058
gecos: win20 win20
sn: win20
pwhistory: $6$1j4tickuKZ3oJKvi$s31MPjUUEslJN8MZbrdUBWJ0pif4re3z1AaH592bm3ESYC/USDOlnPXMiplsHYG.cIO6R4Wk8FKeI5MyTMIgz1
homeDirectory: /home/win20
givenName: win20
krb5Key:: MB2hGzAZoAMCARehEgQQQKBViSnw+RcH28SeRCnX7Q==
userPassword:: e0s1S0VZfQ==
sambaNTPassword: 40A0558929F0F91707DBC49E4429D7ED
sambaPwdLastSet: 0
krb5PasswordEnd: 20200608000000Z
shadowMax: 1
shadowLastChange: 18419

looks good so far, and kinit

-> kinit win20 (Univention.99)
win20@AUTOTEST.LOCAL's Password: ****
Your password will expire at Mon Jun  8 02:00:00 2020

Changing password
New password:

ok, but

-> umc-command  -U win20 -P Univention.99
08.06.20 17:30:14.387  DEBUG_INIT
Response: COMMAND
  data length   :  249
  message length:  191
  ---
MIMETYPE   : application/json
  STATUS   : 403
  MESSAGE  : Verboten
  ERROR    : {u'traceback': None, u'command': u'handle_request_command'}
  RESULT   : {u'status': 403, u'headers': {u'Vary': u'Content-Language', u'Content-Language': u'de-DE'}, u'message': u'Verboten', u'result': None, u'error': {u'traceback': None, u'command': u'handle_request_command'}}

auth.log
Jun  8 17:30:14 admember python2.7: nss_ldap: reconnecting to LDAP server...
Jun  8 17:30:14 admember python2.7: nss_ldap: reconnected to LDAP server ldap://admember.autotest.local:7389 after 1 attempt
Jun  8 17:30:14 admember python2.7: pam_unix(univention-management-console:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=win20
Jun  8 17:30:14 admember kpasswdd[1390]: Changing password for win20@AUTOTEST.LOCAL
Jun  8 17:30:14 admember python2.7: pam_krb5(univention-management-console:auth): user win20 authenticated as win20@AUTOTEST.LOCA

no kinit with old password (Univention.99) works,
Comment 8 Florian Best univentionstaff 2020-06-09 17:42:16 CEST
Sound similar to Bug #43859, Bug #38082. So I suspect a bug in heimdal (or pam_krb5).
I see the patches 4.2-0-0-ucs/1.6~rc2+dfsg-9-errata4.2-1/0200_krb5_get_init_creds_opt_set_change_password_prompt.* aren't part of our latest release anymore (because they are integrated upstream?!). Maybe anohter upstream change broke that behavior again.

pam-krb5 set's the flag correctly:
libpam-krb5/4.7-4/libpam-krb5-4.7/auth.c:
   163         krb5_get_init_creds_opt_set_change_password_prompt(opts,
   164             (config->defer_pwchange || config->fail_pwchange) ? 0 : 1);

The debug output of PAM is:
# PAM(1) SAML message: answer=u'Univention.99'
PAM says: 'Password has expired'
# PAM(4) Password has expired: answer=''
PAM says: 'Your password will expire at Tue Jun  9 02:00:00 2020\n'
# PAM(4) Your password will expire at Tue Jun  9 02:00:00 2020\n: answer=''
PAM says: 'Changing password'
# PAM(4) Changing password: answer=''
# PAM(1) New password: answer=u'Univention.99'
# PAM(1) Repeat new password: answer=u'Univention.99'
PAM says: 'Success: Password changed\n'

So, with the fix meantioned above pam shouldn't ask anymore to change the password! Because we are setting the flag defer_pwchange in /etc/pam.d/univention-management-console:
auth     sufficient                         pam_krb5.so use_first_pass defer_pwchange

But I also see that we set force_pwchange in acct-mngmt (which could also be a reason?):
account  sufficient             pam_krb5.so force_pwchange
Comment 9 Felix Botner univentionstaff 2020-06-09 23:35:33 CEST
univention-s4-connector:
There seems to be an issue with the s4 connector too. 

create samba user with pwdLastSet=0
-> samba-tool user create --must-change-at-next-login \
   --use-username-as-cn sam3 Univention.99

Now UMC logon with password change (password to univention) - the pwdLastSet=0 sync to ucs was successful

But, despite the password change to "univention" kinit still wants the old password,

kinit sam3 -> univention => fails
kinit sam3 -> Univention.90 => OK
Comment 10 Julia Bremer univentionstaff 2020-06-11 14:03:34 CEST
I created a new Bug for this "password overwriting issue" Bug #51462 
This one only addresses the sync with S4/AD Connector.
Comment 11 Felix Botner univentionstaff 2020-06-11 14:52:37 CEST
univention-s4-connector
OK - YAML
OK - pwdLastSet sync manual tests
OK - Jenkins tests
OK - ucs-test

univention-ad-connector
OK - YAML
OK - sync of pwdChangeNextLogin
OK - Jenkins tests
OK - ucs-test

so apart from Bug #51462 everything OK, still i will not set this bug verified, just in case
Comment 12 Julia Bremer univentionstaff 2020-06-16 11:05:29 CEST
Since this bug is blocked by Bug #51462, which needs a restart of the univention-management-console-server, we decided to release it with 4.4-5. 
I changed the Target Milestone accordingly
Comment 13 Julia Bremer univentionstaff 2020-06-18 13:49:53 CEST
I added dependencies for heimdal to univention-ad-connector and univention-s4-connector. 
We will restart the univention-management-console-server in the postinst. 
This way, we can release this feature during normal errata update without having to wait for the patch level release.
Comment 14 Felix Botner univentionstaff 2020-06-18 17:45:14 CEST
OK - univention-ad-connector 
OK - connector ucs-test
OK - manual tests
OK - dependencies
OK - yaml

OK - univention-s4-connector
OK - connector ucs-test
OK - manual tests
OK - dependencies
OK - yaml