Bug 38826

Summary: Password change is case sensitive
Product: UCS Reporter: Stefan Gohmann <gohmann>
Component: UMC (Generic)Assignee: Florian Best <best>
Status: CLOSED FIXED QA Contact: Stefan Gohmann <gohmann>
Severity: normal    
Priority: P5 CC: best, meybohm, requate, walkenhorst
Version: UCS 4.0   
Target Milestone: UCS 4.0-2-errata   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=45728
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Stefan Gohmann univentionstaff 2015-07-03 07:54:59 CEST 
I've added a user Test.Eins and it seems the password change is case sensitive and kinit is case insensitive:

root@master931:~# kinit Test.Eins
Test.Eins@DEADLOCK93.INTRANET's Password:
kinit: krb5_get_init_creds: Password has expired
root@master931:~# kinit test.eins
test.eins@DEADLOCK93.INTRANET's Password:
kinit: krb5_get_init_creds: Password has expired
root@master931:~# kpasswd test.eins
test.eins@DEADLOCK93.INTRANET's Password:
Your password will expire at Tue Jun 30 02:00:00 2015

New password for test.eins@DEADLOCK93.INTRANET:
Verify password - New password for test.eins@DEADLOCK93.INTRANET:
kpasswd: krb5_set_password_using_ccache: Matching credential (kadmin/changepw@DEADLOCK93.INTRANET) not found
root@master931:~# kpasswd Test.Eins
Test.Eins@DEADLOCK93.INTRANET's Password:
Your password will expire at Tue Jun 30 02:00:00 2015

New password for Test.Eins@DEADLOCK93.INTRANET:
Verify password - New password for Test.Eins@DEADLOCK93.INTRANET:
Success : Password changed
root@master931:~#

Ticket #2015062221000256
Comment 1 Arvid Requate univentionstaff 2015-07-07 15:08:51 CEST 
Quoting https://ssimo.org/blog/id_016.html:

"Principal names are considered case sensitive by the reference implementation (MIT Kerberos) but some implementation treat them in a case-insensitive way (Active Directory for example). It is safer to always treat principal names in a case sensitive way. (Active Directory will generally always provide the canonicalized form in tickets although it may accept mismatching cases when requesting tickets)."

So we should maybe not adjust Heimdal (or MIT) Kerberos but rather canonicalize the name by other means before doing kpasswd (e.g. via the pam stack).
Comment 2 Florian Best univentionstaff 2015-07-15 11:43:11 CEST 
A ldap search for the uid attribute of the user is done now. The found value is used as username to change the password.

univention-management-console (7.1.63-22):
r62116 | Bug #38826: make password change case insensitive
Comment 3 Stefan Gohmann univentionstaff 2015-07-16 08:22:29 CEST 
Code review: OK: r62116 + r62122

Tests: OK

YAML: OK (small adjustments r62141)

Merge to UCS 4.1: OK
Comment 4 Janek Walkenhorst univentionstaff 2015-07-16 14:23:54 CEST 
<http://errata.univention.de/ucs/4.0/245.html>