Bug 45282

Summary: S4-Connector still reads&writes deprecated sambaPwdMustChange
Product: UCS Reporter: Arvid Requate <requate>
Component: Samba4Assignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P5 CC: botner, gohmann, heidelberger, michelsmidt, scheinig
Version: UCS 2.4Flags: requate: Patch_Available+
Target Milestone: UCS 4.3-2-errata   
Hardware: Other   
OS: Linux   
URL: https://git.knut.univention.de/univention/ucs/tree/arequate/bug45282
What kind of report is it?: Bug Report What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.023 Enterprise Customer affected?: Yes
School Customer affected?: Yes ISV affected?:
Waiting Support: Yes Flags outvoted (downgraded) after PO Review:
Ticket number: 2017082921000291 Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 20917    
Bug Blocks:    
Attachments: remove_sambaPwdMustChange.patch

Description Arvid Requate univentionstaff 2017-08-29 13:01:53 CEST 
The S4-Connector still sets sambaPwdMustChange if pwdLastSet has been changed to 0 in Samba/AD. Since this attribute is deprecated by Samba (see Bug 17890) we should remove the code from the S4-Connector.
Comment 1 Arvid Requate univentionstaff 2017-08-29 13:02:58 CEST 
Created attachment 9152 [details]
remove_sambaPwdMustChange.patch

Something like this (untested)
Comment 2 Felix Botner univentionstaff 2017-08-29 15:01:34 CEST 
This is bad because sambaPwdMustChange=0 in UCS lets the connector set pwdLastSet=0 in s4 (password expired) during every "password_sync_ucs_to_s4" (password change in UCS) until the password is changed in s4.

steps to repdroduce:

 * stop connector
 * change s4 password 
 * change pwdLastSet to 0 for s4 test user (ldbedit)

after restarting the connector password_sync_s4_to_ucs() sets sambaPwdMustChange=0 in UCS
Comment 3 Christina Scheinig univentionstaff 2018-08-28 12:19:37 CEST 
The customer asked one year later, if something happened here.
I think it is time for the 'waiting for support' flag.

By now the customer is on Version:
UCS: 4.3-1 errata202
Comment 4 Arvid Requate univentionstaff 2018-08-29 14:11:04 CEST 
The URL field refers to a gitlab branch with an updated patch based on UCS 4.3-1.
Comment 7 Arvid Requate univentionstaff 2018-09-05 00:46:10 CEST 
Fixed along with Bug #47595:

1ada17b9b3 | password_sync_s4_to_ucs: Don't set sambaPwdMustChange
7ccc957a0c | Bug #47595 & Bug #45282: Changelog
83a2f0a248 | Bug #45282 & Bug #47595: Advisory
Comment 8 Felix Botner univentionstaff 2018-09-12 14:17:15 CEST 
The attribute is still used (removed in password_sync_s4_to_ucs). I would prefer to completely remove the sambaPwdMustChange code in  password_sync_s4_to_ucs and password_sync_ucs_to_s4.
Comment 9 Stefan Gohmann univentionstaff 2018-09-13 11:21:45 CEST 
(In reply to Felix Botner from comment #8)
> The attribute is still used (removed in password_sync_s4_to_ucs). I would
> prefer to completely remove the sambaPwdMustChange code in 
> password_sync_s4_to_ucs and password_sync_ucs_to_s4.

That is OK, so it is removed by time. If it should be removed directly, one can use:
 /usr/share/univention-directory-manager-tools/remove_sambapwdmustchange
Comment 10 Felix Botner univentionstaff 2018-09-13 11:51:23 CEST 
OK
Comment 11 Philipp Hahn univentionstaff 2018-09-19 11:23:41 CEST 
<http://errata.software-univention.de/ucs/4.3/237.html>