Bug 34478

Summary:	Password complexity check triggers error in s4connector and prevents user sync
Product:	UCS	Reporter:	Kevin Dominik Korte <korte>
Component:	S4 Connector	Assignee:	Stefan Gohmann <gohmann>
Status:	CLOSED FIXED	QA Contact:	Arvid Requate <requate>
Severity:	critical
Priority:	P1	CC:	gohmann, jmm, requate
Version:	UCS 3.2
Target Milestone:	UCS 3.2-1-errata
Hardware:	Other
OS:	Linux
What kind of report is it?:	---	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):
Max CVSS v3 score:
Attachments:	Connector Logs Samba Logs bug34478_password_complexity.patch

Description Kevin Dominik Korte

2014-04-04 22:06:44 CEST

If you use an UCS-System with English locals and activate the dictionary check, the s4 connector will not replicate users created with the AD-Tools. The issue is one of the password checks tries to replace Wörterbuch with W?rterbuch. With the ö in Wörterbuch creating an error. The Connector will then write the error in the log with the message that the pwQuality isn't fullfiled

After disabeling the dictionary check, the issue resolves and the users are replicated.

To Replicate it:
Install master with Samba 4
Set the password complexity check and dictionary check
Join English Windows 7
Install AD-User and Computer tools
Create user in AD-Tools (using a compliant password)


I didn't try to replicate the bug with a German language systems.

Comment 1 Stefan Gohmann

2014-04-05 07:32:46 CEST

Can you append the connector and samba log files?

Comment 2 Kevin Dominik Korte

2014-04-05 18:19:34 CEST

Created attachment 5852 [details]
Connector Logs

Comment 3 Kevin Dominik Korte

2014-04-05 18:19:55 CEST

Created attachment 5853 [details]
Samba Logs

Comment 4 Kevin Dominik Korte

2014-04-05 18:22:53 CEST

Logs are attached.

The respective user is "testera" the password Uiaeo123snrt

internally the systems are available at 

kkorte_samba4-test-*

Comment 5 Stefan Gohmann

2014-04-06 10:15:59 CEST

Created attachment 5854 [details]
bug34478_password_complexity.patch

Thanks for the logs. Does the attached patch fix the problem for you?

 patch -d /usr/share/pyshared/ -p 1 <bug34478_password_complexity.patch
 service univention-s4-connector restart

Comment 6 Kevin Dominik Korte

2014-04-06 19:32:02 CEST

Thanks for the fast patch. After applying the steps outlined, both rejected and new users are synchronized between S4 and OpenLDAP. Login works on both. Password change from the Windows, kpasswd and UMC as well.

Comment 7 Arvid Requate

2014-04-10 12:53:59 CEST

We just observed this again in a customer samba3->samba4 migration test.

Maybe we should think about adding and using a univention-lib function to generate a password according to the password policy for a given DN.
For another proposal see also Bug 34067.

Comment 8 Stefan Gohmann

2014-04-22 08:23:06 CEST

The patch has been applied:
 Code: r49469
 YAML: r49471

I've also added a test case (r49470): 030_sync_with_activated_pwqualitycheck

(In reply to Arvid Requate from comment #7)
> We just observed this again in a customer samba3->samba4 migration test.
> 
> Maybe we should think about adding and using a univention-lib function to
> generate a password according to the password policy for a given DN.
> For another proposal see also Bug 34067.

Yes, that might be something for a later fix.

Comment 9 Arvid Requate

2014-05-06 16:40:29 CEST

Verified:
* The password complexity is improved significantly.
* The test case works
* YAML advisory ok.

Comment 10 Moritz Muehlenhoff

2014-05-07 15:25:58 CEST

http://errata.univention.de/ucs/3.2/107.html