Univention Bugzilla – Bug 52230
Initial password in AD can be reused, despite of passwordhistory
Last modified: 2022-09-08 11:43:53 CEST
A customer does not want the password to be used again. Therefore the password history has been activated. The password history does not work, if the password is initially set on the Windows AD. The AD-connector sets a random password in userPassword attribute during user creation. So there is nothing useful in the pwhistory attribute. In the second step the krb5 keys are synchronised and {K5KEY} is set to the userPassword. As far as I know we only check the crypt password. We should also check the krb5 keys.
Notes from the refinement: 1) In the direction AD -> UDM/OpenLDAP: 1.1) The ADC could sync the AD attribute ntPwdHistory to OpenLDAP sambaPasswordHistory. From the samba source code it looks like ntPwdHistory is just an array of NT hashes as they are in unicodePwd. But there's a strange comment in source3/passdb/pdb_samba_dsdb.c: "If the history is in the old format, with a salted hash, then we can't migrate it to AD format." OTOH the /usr/share/univention-ldap/schema/samba.schema says: attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) So we should check the interpretation. 1.2) If we don't want or cannot sync ntPwdHistory, we could alternatively adjust the ADC such that: If a new password hash comes in from AD, it picks the old NT hash from OpenLDAP and prepends it to the sambaPasswordHistory in OpenLDAP. It would need to take into account the history length configured for UDM (for that user). 1.3) udm would need to check sambaPasswordHistory too. Alternatively we could make the ADC write to the UCS sepcific "pwhistory" attribute. It has this format: linesplit = line.split("$") # $method_id$salt$password_hash But it doesn't currently know the NT-hash as method. 2) In the direction UDM/OpenLDAP -> AD: services/univention-ad-connector/modules/univention/connector/ad/password.py uses a SAM RPC call SetUserInfo with UserInfo18 to set the password hash in AD (Bug 40745). We would need to test, if that also updates ntPwdHistory in AD. I guess that this is updated properly.
Changes: Sync from AD to UDM. The pwhistory attribute can contain NT hashes. Remove the update of SambaPasswordHistory in UDM. Removed function get_samba_password_history. Sync between S4 and UDM. Add test for the history synchronization. Support for ntPwdHistory in s4search-decode. Packages: Package: univention-directory-manager-modules Version: 15.0.13-5A~5.0.0.202208291032 Branch: ucs_5.0-0 Scope: errata5.0-2 Package: univention-ad-connector Version: 14.0.10-4A~5.0.0.202208291035 Branch: ucs_5.0-0 Scope: errata5.0-2 Package: univention-s4-connector Version: 14.0.10-5A~5.0.0.202208291038 Branch: ucs_5.0-0 Scope: errata5.0-2 Package: univention-samba4 Version: 9.0.8-7A~5.0.0.202208291040 Branch: ucs_5.0-0 Scope: errata5.0-2 Package: ucs-test Version: 10.0.7-18A~5.0.0.202208291043 Branch: ucs_5.0-0 Scope: errata5.0-2 Commits: 5a486d82192c | Bug #52230: changelogs and advisories b628a848f4f4 | Bug #52230: Add ntPwdHistory support in s4search-decode 0f2f5fc66160 | Bug #52230: Add password history sync tests for S4C 01c8d0f50f92 | Bug #52230: Add password history sync tests for ADC 26b3d785a50a | Bug #52230: Sync NT password history between S4C and UCS 5f758d24172e | Bug #52230: Support NT hashes in pwHistory 1804d45f5873 | Bug #52230: Sync NT password history from AD to UCS
REOPEN: Please have a look at the comments in https://git.knut.univention.de/univention/ucs/-/merge_requests/473/diffs
Update: Fixed error in univention-password_sync_ucs_to_s4 Tests simplified. Fixed flake8 errors in tests. Packages: Package: univention-s4-connector Version: 14.0.10-6A~5.0.0.202208301457 Branch: ucs_5.0-0 Scope: errata5.0-2 Package: ucs-test Version: 10.0.7-21A~5.0.0.202208311321 Branch: ucs_5.0-0 Scope: errata5.0-2 Commits: ef94a5de07e5 | Bug #52230: initialize the udm user module in univention-password_sync_ucs_to_s4 cbdba4ceabbf | fixup! Bug #52230: Add password history sync tests for S4C 9cd167f30508 | fixup! Bug #52230: Add password history sync tests for ADC
e7d5431cc1 | Add more explanation to advisory + * UDM now can store NT hashes in the attribute `pwhistory`. Until now it + used the attribute `sambaPasswordHistory`, which only stores salted + hashes of hashes, which doesn't allow synchronization to Samba/AD. + UDM now doesn't care about the attribute `sambaPasswordHistory` any longer. Verified: * Code review * Functional test * Test with non-updated systems in the domain * Test case * Documentation update not required (checked help.univention.de too) * Advisory
<https://errata.software-univention.de/#/?erratum=5.0x402> <https://errata.software-univention.de/#/?erratum=5.0x405> <https://errata.software-univention.de/#/?erratum=5.0x406> <https://errata.software-univention.de/#/?erratum=5.0x407>