Univention Bugzilla – Full Text Bug Listing |
Summary: | Password reset is not correctly synced from s4toucs if the same password is used again | ||
---|---|---|---|
Product: | UCS | Reporter: | Nico Stöckigt <stoeckigt> |
Component: | S4 Connector | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | best, gohmann, grandjean, markus.daehlmann, requate, samba-maintainers, scheinig |
Version: | UCS 4.3 | ||
Target Milestone: | UCS 4.3-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | http://forge.univention.org/bugzilla/show_bug.cgi?id=47370 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 1: Will affect a very few installed domains | How will those affected feel about the bug?: | 5: Blocking further progress on the daily work |
User Pain: | 0.143 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Yes | Flags outvoted (downgraded) after PO Review: | |
Ticket number: | 2018071821000328 | Bug group (optional): | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 47508 | ||
Attachments: |
listener.log
directory-logger.log connector-s4.log connector-s4-fnc.log Bug47391_untested_proposal.patch password.py.patch |
Description
Nico Stöckigt
2018-07-24 12:17:22 CEST
(In reply to Nico Stöckigt from comment #0) > When resetting a student's password one is forced to set a new one on next > Win login. This all works like it should but for some reason the password > reset is not synced back to LDAP. Do you set the same or a different password? Can you append the S4 connector logs (debug level 4)? I missed to mention that the policy allows to re-use the old password so this behavior only occurs when the same password is re-entered. See also bug#47370. (In reply to Nico Stöckigt from comment #2) > I missed to mention that the policy allows to re-use the old password so > this behavior only occurs when the same password is re-entered. It is the default S4 connector behavior. I'm not sure if it can be changed since it is needed to prevent sync cycles. Is the UCS@school password reset module used? In this case, the UMC module could set a random password. Created attachment 9604 [details]
listener.log
Created attachment 9605 [details]
directory-logger.log
Created attachment 9606 [details]
connector-s4.log
Created attachment 9607 [details]
connector-s4-fnc.log
connector-s4.log says at debug level 3: ========================================================================= 24.07.2018 12:46:07,722 LDAP (INFO ): The following attributes have been changed: ['pwdLastSet', 'whenChanged', 'uSNChanged'] [...] 24.07.2018 12:46:07,763 LDAP (INFO ): password_sync_s4_to_ucs: No password change to sync to UCS ========================================================================= In that case nothing is synchronized. Attaching a patch proposal. Created attachment 9608 [details] Bug47391_untested_proposal.patch (In reply to Stefan Gohmann from comment #3) > Is the UCS@school password reset module used? In this case, the UMC module > could set a random password. That doesn't work since the old password must be used for the password change. I'll move it to the S4 connector. The customer asked for an urgent fix. He needs this working til the school begins next week Ok, I've created a branch arequate/bug47391 and commited: 72590b05a2 | Prepration: use object time instead of system time c537b235f8 | sync_to_ucs: sync pwdLastChange even if hash didn't change 01ec487dac | Refactor: move code block up for next commit 32c9cadca4 | Simplify the code a bit The result is a cleaner patch series than what I attached to Comment 9. I've tested the code manually by switching pwdLastSet to 0 and back to -1 via: ldbedit -H /var/lib/samba/private/sam.ldb cn=user1 pwdLastSet Please reopen after code review, then I'll adjust or merge to master branch. I've decided to merge the branch to see the Jenkins test results tomorrow. 6fab78c7ba | Merge branch 'arequate/bug47391' into 4.3-1 6826812b10 | debian/changelog dd4b7bb2fe | Advisory After that I've run "Publish UCS 4.3 errata test scopes to testing". udm ... --set pwdChangeNextLogin=1 --set overridePWHistory=1 --set password=Univention.99 UCS: dn: uid=test1,dc=four,dc=three shadowMax: 1 shadowLastChange: 17748 sambaPwdLastSet: 0 krb5PasswordEnd: 20180807000000Z Samba: # record 1 dn: CN=test1,DC=four,DC=three pwdLastSet: 131781490681974960 (INFO ): password_sync_ucs_to_s4: modlist: [(2, 'pwdLastSet', '0')] (INFO ): password_sync_s4_to_ucs: sambaPwdMustChange in modlist (set): 0 (INFO ): password_sync_s4_to_ucs: modlist: [('shadowLastChange', '17748', '0'), ('shadowMax', '1', None), ('krb5PasswordEnd', '20180807000000Z', None), ('sambaPwdMustChange', '', '0')] (INFO ): password_sync_ucs_to_s4: modlist: [(2, 'pwdLastSet', '0')] UCS: dn: uid=test1,dc=four,dc=three sambaPwdLastSet: 0 shadowLastChange: 0 sambaPwdMustChange: 0 Samba: # record 1 dn: CN=test1,DC=four,DC=three pwdLastSet: 0 i guess the shadowMax/krb5PasswordEnd to None is wrong We have another Bug in UDM which caused me some trouble during the test with a stopped connector -> udm ... --set pwdChangeNextLogin=1 --set overridePWHistory=1 --set password=Univention.99 UCS: dn: uid=test1,dc=four,dc=three shadowMax: 1 shadowLastChange: 17748 sambaPwdLastSet: 0 krb5PasswordEnd: 20180807000000Z Samba: # record 1 dn: CN=test1,DC=four,DC=three pwdLastSet: 131781521134271370 and again -> udm ... --set pwdChangeNextLogin=1 --set overridePWHistory=1 --set password=Univention.99 UCS: dn: uid=test1,dc=four,dc=three shadowLastChange: 17748 sambaPwdLastSet: 1533678716 Samba: # record 1 dn: CN=test1,DC=four,DC=three pwdLastSet: 131781521134271370 Created attachment 9623 [details]
password.py.patch
patch for password.py regarding shadowMax and krb5PasswordEnd
I've split off Comment 14 as Bug #47508. We both tested it and there are no real life consequences currently as UDM users/user checks shadowLastChange == 0 in addition to shadowMax. OK - jenkins OK - samba-tool user setpassword test1 same password (INFO ): password_sync_s4_to_ucs: modlist: [('shadowLastChange', '16750', '17750'), ('sambaPwdLastSet', '1533681306', '1533681353')] (INFO ): password_sync_ucs_to_s4: modlist: [] OK - via windows with pwdChangeNextLogin=1 (INFO ): password_sync_s4_to_ucs: modlist: [('shadowLastChange', '16750', '0'), ('sambaPwdLastSet', '1533681353', '0'), ('sambaPwdMustChange', '', '0')] (INFO ): password_sync_ucs_to_s4: modlist: [(2, 'pwdLastSet', '0')] OK - pwchange during login on windows with same password (INFO ): password_sync_s4_to_ucs: modlist: [('shadowLastChange', '0', '17750'), ('sambaPwdLastSet', '0', '1533681623'), ('sambaPwdMustChange', '0', '')] (INFO ): password_sync_ucs_to_s4: modlist: [] OK - pwchange in windows different password (INFO ): password_sync_s4_to_ucs: modlist: [('sambaNTPassword', '40A0...', 'CE3...'), ('krb5Key', [...]), ('krb5KeyVersionNumber', '28', '33'), ('userPassword', '...'), ('sambaPwdLastSet', '1533681623', '1533681719')] (INFO ): password_sync_ucs_to_s4: modlist: [] OK - udm users/user modify --dn uid=test1,dc=four,dc=three --set pwdChangeNextLogin=1 --set overridePWHistory=1 --set password=Univention.99 (INFO ): password_sync_s4_to_ucs: modlist: [('shadowLastChange', '17748', '0'), ('shadowMax', '1', None), ('krb5PasswordEnd', '20180807000000Z', None), ('sambaPwdMustChange', '', '0')] (INFO ): password_sync_ucs_to_s4: modlist: [(2, 'pwdLastSet', '0')] udm users/user list --filter username=test1 | grep pwd OK - YAML |