Bug 36317

Summary: S4 connector removes shadowMax and shadowLastChange on password change via samba/kerberos
Product: UCS Reporter: Felix Botner <botner>
Component: S4 ConnectorAssignee: Felix Botner <botner>
Status: CLOSED FIXED QA Contact: Stefan Gohmann <gohmann>
Severity: normal    
Priority: P5 CC: birkefeld, gohmann, grandjean, jmm, requate
Version: UCS 3.2   
Target Milestone: UCS 4.0-1-errata   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=39400
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 36215, 38494, 45760, 47595    

Description Felix Botner univentionstaff 2014-10-27 17:47:20 CET 
The connector removes shadowMax and shadowLastChange if the password is set via samba. 

The connector should properly set these attributes

 -> shadowLastChange  (days since 1970-01-01 00:00:00 UTC)
 
 -> shadowMax keep if existing
Comment 1 Arvid Requate univentionstaff 2014-10-28 17:50:52 CET 
Due to this bug login to UMC fails after UMC password change of an expired password. univention-managmenet-server.log shows:

31.10.14 19:19:16.371  AUTH        ( ERROR   ) : PAM: acct_mgmt error: ('Authentifizierungstoken ist nicht mehr g?ltig; neues erforderlich', 12)

Login works again after raising shadowLastChange (or removing pam_unix from the acct section of the pam stack).
Comment 2 Arvid Requate univentionstaff 2014-10-28 18:16:20 CET 
Ignore comment 1, I had temporarily stopped the S4 connector on my testing system.
Comment 3 Tobias Birkefeld univentionstaff 2015-01-19 15:15:57 CET 
Bug also seen in customer environment. Ticket#2014110621000331
Comment 4 Felix Botner univentionstaff 2015-03-03 13:39:41 CET 
YAML: 2015-03-03-univention-s4-connector.yaml

The connector now always sets shadowLastChange to "days since epoch" and shadowMax to None or the value of the univentionPWExpiryInterval policy for this object.

test: 52_s4connector/401check_posix_pwd_expiry_after_ad_pwdchange

QA:

 * Without policy: shadowLastChange=now, no shadowMax after password change
   via s4

 * With policy: shadowLastChange=now, shadowMax=X after password change via S4

 * Without policy but with pwdChangeNextLogin=1: shadowLastChange=now, 
   no shadowMax after password change via s4

 * ...
Comment 5 Stefan Gohmann univentionstaff 2015-03-05 15:11:03 CET 
As discussed, please set also krb5PasswordEnd.
Comment 6 Felix Botner univentionstaff 2015-03-05 18:03:41 CET 
OK, the connector now sets krb5PasswordEnd if univentionPWExpiryInterval exists, otherwise krb5PasswordEnd is deleted.
Comment 7 Stefan Gohmann univentionstaff 2015-03-10 14:20:07 CET 
YAML: OK (minor changes: r58827)

ucs-test: OK

Tests: OK

Code review: OK
Comment 8 Moritz Muehlenhoff univentionstaff 2015-03-11 15:09:09 CET 
http://errata.univention.de/ucs/4.0/97.html