Bug 53012 - S4 Connector calculates wrong expire Date
S4 Connector calculates wrong expire Date
Status: NEW
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-03-30 12:07 CEST by Dirk Schnick
Modified: 2021-06-10 16:30 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.137
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021031121001019, 2021061021000338
Bug group (optional):
Max CVSS v3 score:


Attachments
Testing change of account expire date (1.51 MB, video/x-matroska)
2021-03-30 12:07 CEST, Dirk Schnick
Details
user in ldap (3.19 KB, text/x-ldif)
2021-03-30 13:50 CEST, Dirk Schnick
Details
user in samba (1.28 KB, text/x-ldif)
2021-03-30 13:51 CEST, Dirk Schnick
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Schnick univentionstaff 2021-03-30 12:07:55 CEST
Created attachment 10670 [details]
Testing change of account expire date

If you change the expiry date of a user, a wrong timestamp reaches samba.
To reproduce simply change the expiry date of a user and verify timestamp in samba with Active Directory Users and Computers Tool in Windows or check timestamp in s4 by univention-s4search cn=testuser,cn=users,$(ucr get ldap/base) accountExpires and calculate timestamp however you want; the date will be different to the ldap attribute krb5ValidEnd.
Find my test in attached video.
Comment 1 Florian Best univentionstaff 2021-03-30 12:12:01 CEST
Can you attach the timezones of your UCS and AD server?
Can you attach an LDIF of both objects (AD, UCS).
Comment 2 Julia Bremer univentionstaff 2021-03-30 12:16:28 CEST
AFAIR Samba/AD interprets the userexpiry as "will expire after $expirydate",
in UCS it is interpreted as "will expire at $expirydate".

thats why we add/substract a day to the expirydate in the s4connector.
Did you test that the user actually expired at different times in Samba vs UCS?
Comment 3 Dirk Schnick univentionstaff 2021-03-30 13:50:43 CEST
Created attachment 10671 [details]
user in ldap
Comment 4 Dirk Schnick univentionstaff 2021-03-30 13:51:00 CEST
Created attachment 10672 [details]
user in samba
Comment 5 Dirk Schnick univentionstaff 2021-03-30 13:51:11 CEST
(In reply to Florian Best from comment #1)
> Can you attach the timezones of your UCS and AD server?
There is no AD; I use a joined windows client for Active Directory Users and Computers. It has the same timezone as my UCS system (Berlin UTC+1)
Also we are not talking about 3 or 4 hours, we are talking about a complete day.

> Can you attach an LDIF of both objects (AD, UCS).
There is no AD or do you mean samba? I attached ldif of my testuser of ldap and s4


(In reply to Julia Bremer from comment #2)
> AFAIR Samba/AD interprets the userexpiry as "will expire after $expirydate",
> in UCS it is interpreted as "will expire at $expirydate".
> 
> thats why we add/substract a day to the expirydate in the s4connector.
> Did you test that the user actually expired at different times in Samba vs
> UCS?
The customer reported that it happened, that the enduser was expired with their windows accounts before the in UCS configured expire date was reached.
I did not test that, but I can/will do. I set UCS expire to 7.4.2021 so I should be able to use the account on 6.4.2021. The timestamp in samba is set to 132621408000000000 what means it will be expire on 6.4.2021 0:00. Looking at that timestamps, I expect the result of the customer reporting.

I can not set it earlier; holiday...sorry.

Also I tried to solve the problem by removing the -86400 in unix2s4_time of
/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py but the result was more confusing me.
Comment 6 Dirk Schnick univentionstaff 2021-04-20 12:35:32 CEST
(In reply to Julia Bremer from comment #2)
> Did you test that the user actually expired at different times in Samba vs
> UCS?

Did the test now again; and yes I can login in UMC or use simple ldapbind:

reiherwald.intranet /  1,54 / 12:28:04 / ✓
root@dc0:~ # ldapsearch -LLL -x -D "uid=ablauf,cn=users,dc=reiherwald,dc=intranet" -W uid=ablauf dn
Enter LDAP Password: 
dn: uid=ablauf,cn=users,dc=reiherwald,dc=intranet

but no longer via windows client or via kinit:

reiherwald.intranet /  1,54 / 12:28:44 / ✓
root@dc0:~ # kinit ablauf
ablauf@REIHERWALD.INTRANET's Password: 
kinit: krb5_get_init_creds: Clients credentials have been revoked
Comment 7 Dirk Schnick univentionstaff 2021-06-10 12:40:11 CEST
Another Customer complaint that.