Univention Bugzilla – Bug 51462
Expired password of users created in Samba or AD Domain is changed autonomously when logging in with UMC
Last modified: 2020-06-24 12:53:15 CEST
A User created in AD, for which pwdChangeNextLogin is set, (pwdLastSet == 0), can log in via UMC with their expired password without triggering the "password expired" dialog. While logging in, the password is reset, so that it is not expired any more. The same doesn't happen with users created in UCS. Setup: Ad-Connector in bidirectional sync mode To reproduce: Create a User in AD, via ADUaC or with: samba-tool user create --must-change-at-next-login --use-username-as-cn testuser Univention.99 --URL="ldap://"$(ucr get connector/ad/ldap/host)"" -UAdministrator%"$(cat $(ucr get connector/ad/ldap/bindpw))" set changePwdNextLogin via udm: udm users/user modify --dn=uid=testuser,cn=users,dc=jbm25,dc=intranet --set pwdChangeNextLogin=1 login in via UMC: No password change is detected, the user can log in with his expired password After logging in, the password of the user is not expired any more. Before logging in (univention-ldapsearch uid=testuser): krb5KeyVersionNumber: 1 userPassword:: e0s1S0VZfQ== shadowMax: 1 shadowLastChange: 18408 sambaPwdLastSet: 0 krb5PasswordEnd: 20200528000000Z After logging in: krb5KeyVersionNumber: 2 userPassword:: e2NyeXB0fSQ2JFFhMkJPbDVkNHhjeElyaWIkVE9UQXd6cnAxd1FILnB5aEtLU2ZpRFA1WVByMkdvdnNXWHlmSXZldThIYVlZS2MxNFZvZ3R5dElmYTFadzJjb0N1UHNsRjMuREJZRHJ0dEdjQ0FjLi4= shadowLastChange: 18408 sambaPwdLastSet: 1590710270 /var/log/univention/management-console-server.log: 28.05.20 23:37:01.249 LDAP ( INFO ) : bind binddn=cn=m25,cn=dc,cn=computers,dc=jbm25,dc=intranet 28.05.20 23:37:01.255 LDAP ( INFO ) : uldap.search filter=(&(uid=wtest9)(objectClass=person)) base= scope=sub attr=['uid'] unique=1 required=0 timeout=-1 sizelimit=0 28.05.20 23:37:01.256 AUTH ( INFO ) : Canonicalized username: u'wtest9' 28.05.20 23:37:01.273 AUTH ( INFO ) : PAM says: 'Password has expired' 28.05.20 23:37:01.276 AUTH ( INFO ) : PAM says: 'Your password will expire at Thu May 28 02:00:00 2020\n' 28.05.20 23:37:01.276 AUTH ( INFO ) : PAM says: 'Changing password' 28.05.20 23:37:01.485 AUTH ( INFO ) : PAM says: 'Success: Password changed\n' 28.05.20 23:37:01.496 AUTH ( INFO ) : Authentication for u'wtest9' was successful
Almost the same happens with users created in Samba. Their password is also set to their old password after logging in via UMC. The symptoms are different though. The UMC correctly displays the "password is expired" message, but the password is reset directly after logging in. The password is not expired any more after the first log in. The user can log in again without changing the password. If the user changes the password, these changes are not set and the user can only log in with their old password.
Successful build Package: heimdal Version: 7.1.0+dfsg-13+deb9u3A~4.4.0.202006161052 Branch: ucs_4.4-0 Scope: errata4.4-4 Successful build Package: ucs-test Version: 9.0.3-230A~4.4.0.202006161127 Branch: ucs_4.4-0 Scope: errata4.4-4 d7a2a9c53c Bug #51462: Test is user is still expired after umc login The issue was that pam_unix can not work with users whose password was created in Samba or AD, since these don't have a userPassword Attribute. The authentication fell back to pam-krb5 in this case, which is where the problem lied. When trying to authenticate the user, heimdal always prompted for a new password. The umc server then replied to the prompt with the current password. This led to the password being overwritten to the old password. Luckily, this issue has been fixed in upstream heimdal, by the maintainer of pam_krb5. The patch has not been released yet, but merged to master. I rebuild the heimdal package with this patch. I adapted 52_s4connector/513test_password_change_next_logon and 55_adconnector/503test_password_change_next_logon to test if the users password is still expired after logging in with the UMC. For this change to work, the management-console-server has to be restarted. This package has been built in 4.4-4 but we will only release it with 4.4-5 because of this.
Package: univention-s4-connector Version: 13.0.2-73A~4.4.0.202006181341 Branch: ucs_4.4-0 Scope: errata4.4-4 Package: univention-ad-connector Version: 13.0.0-38A~4.4.0.202006181345 Branch: ucs_4.4-0 Scope: errata4.4-4 ---------------------------- 1abddc555e Bug #51462: yaml 3436689c16 Bug #51462: changelog 12106deab6 Bug #51462: Set dependency for heimdal-clients in S4 and AD, so that I added a dependency for the new heimdal version in univention-ad-connector and univention-s4-connector, so that we can restart the univention-management-console-server in the postinst after the update. This way, we can release it at the next errata update and don't have to wait for the patch level release.
9d3cb9c979 Bug #51462: yaml 974bdbab8a Bug #51462: fixup 67ad5b6a2b Bug #51462: depends univention*-connector, not build-dep 51e3ffa864 Bug #51462: yaml 1b667ba674 Bug #51462: fixup postinst 1abddc555e Bug #51462: yaml 3436689c16 Bug #51462: changelog Successful build Package: univention-ad-connector Version: 13.0.0-40A~4.4.0.202006181533 Branch: ucs_4.4-0 Scope: errata4.4-4 Successful build Package: univention-s4-connector Version: 13.0.2-75A~4.4.0.202006181528 Branch: ucs_4.4-0 Scope: errata4.4-4 Many errors and commit later, this should fix what the comment before said to do ..
OK - heimdal patch OK - merged patch to UCS 5.-0 OK - yaml
(In reply to Felix Botner from comment #6) > OK - merged patch to UCS 5.-0 I don't see where it is merged?
(In reply to Florian Best from comment #7) > (In reply to Felix Botner from comment #6) > > OK - merged patch to UCS 5.-0 > I don't see where it is merged? r19069 svn/patches/heimdal/5.0-0-0-ucs/7.5.0+dfsg-3/0100-disable-prompt-when-using-pam.quilt
<http://errata.software-univention.de/ucs/4.4/635.html> <http://errata.software-univention.de/ucs/4.4/636.html> <http://errata.software-univention.de/ucs/4.4/637.html>