Bug 51585 – Sync "The user must change the password at next login" does only work if the password is changed at the same time

Bug 51585 - Sync "The user must change the password at next login" does only work if the password is changed at the same time


Summary:	Sync "The user must change the password at next login" does only work if the ...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	AD Connector
Version:	UCS 4.4
Hardware:	Other Mac OS X 10.1

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-4-errata
Assigned To:	Julia Bremer
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-06-26 15:43 CEST by Erik Damrose
Modified:	2020-07-01 18:15 CEST (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.086
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Adapted ucs-test which reveals the problem (7.10 KB, text/plain) 2020-06-26 15:43 CEST, Erik Damrose	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Damrose

2020-06-26 15:43:15 CEST

Created attachment 10405 [details]
Adapted ucs-test which reveals the problem

+++ This bug was initially created as a clone of Bug #51298 +++

At bug #51298 the feature to sync the pwdLastSet attribute from/to AD was added. Unfortunately this only works when syncing TO AD.

When syncing FROM AD, the password has to be modified as well in AD, to sync the attribute.

In password.py the logic is outlined is as follows:

password_sync()
if nt_hash: # password has to be set
  if pwd_changed: # password has to differ between AD and UCS LDAP
    if pwdLastSet or pwdLastSet == 0:
      [sync pwdLastSet]

I have attached a modified test 503test_password_change_next_logon which currently fails when only the pwdLastSet attribute is set to 0 for a AD user.

Comment 1 Erik Damrose

2020-06-26 15:51:22 CEST

In a short test on a live customer system we saw that just changing the userpassword + setting pwdLastSet=0 did not sync the attribute either.
By briefly looking at the code i assumed that changing both at the same time should be enough, we should doublecheck that again.

Comment 2 Julia Bremer

2020-06-28 21:53:55 CEST

Successful build
Package: univention-ad-connector
Version: 13.0.0-48A~4.4.0.202006281054
Branch: ucs_4.4-0
Scope: errata4.4-4

Successful build
Package: ucs-test
Version: 9.0.3-2345A~4.4.0.202006271350
Branch: ucs_4.4-0
Scope: errata4.4-4

be1fff0dce Bug #51583: update yaml
4171797da4 Bug #51585: fixup
f4dae2ba96 Bug #51585: yaml
2cb831b0fe Bug #51585: Update pwdChangeNextLogin also when password was not changed

I adjusted the ucs-test to your suggestion and fixed the problem in the AD Connector.
Tests, including the updated test are green:
http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-4/job/ADConnectorMultiEnv/Version=w2k12-german/34/

As a workaround, resetting the password and checking the box "change password at next login" should work and does work on my test machine.

Comment 3 Felix Botner

2020-06-30 15:13:08 CEST

OK - manual test
OK - ucs-test test
OK - jenkins
OK - yaml

Comment 4 Erik Damrose

2020-07-01 18:15:21 CEST

<http://errata.software-univention.de/ucs/4.4/643.html>