Univention Bugzilla – Bug 52061
The username and or displayname in password checks for password/quality/mspolicy are not performed when changing the password over UMC/Kerberos
Last modified: 2020-10-09 10:26:12 CEST
Bug #51994 introduced the password/quality/mspolicy UCR variable which will cause additional password checks to be performed (https://docs.microsoft.com/de-de/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements) One of these checks should be that the username and parts of the username are not present in the password. When changing the password over UMC though the the username send to base/univention-python/modules/password.py:check() contains the domain (e.g. user1@MYDOMAIN.INTRANET) which causes the check to fail and the displayname is not send at all.
*** Bug 52052 has been marked as a duplicate of this bug. ***
First: This Bug is about non-Samba domains. A similar issue in Samba-Domains is tracked via Bug 52053. Second: Actually it works, but I now understand why it didn't appear like that during QA for Bug 51994. It goes down like this: * UMC uses PAM * For the "password" stack /etc/pam.d/univention-management-console calls several modules, all of which perform there own quality checks: 1. pam_cracklib in default config (see man pam_cracklib), denying e.g. palindromes 2. pam_unix with option "obscure" ( 3. pam_krb5 * pam_krb5 calls the KDC (heimdal-kdc in non-Samba domains) * /etc/heimdal-kdc/kdc.conf defines "external-check" with /usr/share/univention-heimdal/check_cracklib.py and that script only gets the Kerberos User Principal Name (and the new password) and passes that to univention.password.Check().check(). So currently it cannot do the proper name check. It would need to lookup the uid and displaName from LDAP first. * So, assuming the password passed all checks above, the KDC initiates the password change. And we have patched that to call the Python function univention.lib.password.change(). That's where UDM is used to perform a normal password change, which again calls univention.password.Check().check() but this time the name parts are checked, too. During development and QA for Bug 51994 we both didn't restart the heimdal-kdc, so it was still running the old Python modules, which didn't run the new checks. So far so "good". The additinal ugly thing about this is, that our KDC patch currently doesn't pass through the error messages, but performs a mapping of exception types to it's own invented error messages. That's why UMC pam.py only gets "The passwort didn't pass quality check" (spot the spelling) instead of nice messages like "Password contains user account name." or "Password contains parts of the full user name." So there are three Bug areas here, some of which already have been reported before: 1. heimdal-kdc didn't get restarted with the update for Bug 51994 2. It would be great to consolidate those additional layers of checks: * pam_cracklib (Bug 52057, Bug 26144) * pam_unix "obsucre" * Heimdal "external-check" (Bug 24793) 3. Our Heimdal KDC patch doesn't pass through the nice error messages from univention.password.Check()
Created attachment 10511 [details] 0001-password_sync.quilt The attached modified 0001-password_sync.quilt Patch for Heimdal shows how we could fix point 3: Passing though the nice error messages from univention.lib.password.change (i.e. univention.password.Check) though Heimdal KDC to UMC/pam.py, where they can be localized.
*** Bug 52058 has been marked as a duplicate of this bug. ***