Univention Bugzilla – Full Text Bug Listing |
Description
Michel Smidt
2020-05-17 20:27:59 CEST
Created attachment 10364 [details]
Screenshot2
Created attachment 10365 [details]
Screenshot3
Created attachment 10366 [details]
Screenshot4
Since I just visited that code: These UCR variables may affect things here (but probably are not enough): * connector/ad/password/timestamp/check * connector/ad/password/timestamp/syncreset/ucs * connector/ad/password/timestamp/syncreset/ad ebf123f5aed9bb7eb592250acd02da57c58448e0 - ucs-test added 55_adconnector/503test_password_change_next_logon but skipped currently, please check and activate the test once the fix is done Package: univention-ad-connector Version: 13.0.0-34A~4.4.0.202006052233 Package: ucs-test Version: 9.0.3-219A~4.4.0.202006052236 Package: univention-s4-connector Version: 13.0.2-72A~4.4.0.202006052230 -------------------------------------------------- c06383ac81 Bug #51298: Update documentation 89b0df9014 Bug #51298: yaml 2f46802eb9 Bug #51298: Merge branch 'jbremer/Bug51298_sync_pwdChangeNextLogin' into 4.4-4 8daa7f3d5c Bug #51298: Test pwdChangeNextLogin in S4Connector 1f518bb182 Bug #51298: Changelog 1c154db52f Bug #51298: extend test case d9bbd4712c Bug #51298: Sync pwdLastSet from UCS 2c9b52646b Bug #51298: actually expire password in S4 7429139d80 Bug #51298: Sync pwdLastChange in adconnector --------------------------------------------------- The pwdChangeNextLogin flag is now synced from/to AD. The password expires in Kerberos, Samba and openLDAP, the flag is shown in the UMC. In the S4-Connector the password never expired in openLDAP after syncing pwdLastSet==0 from Samba to UCS. This has been fixed too. The password expiry mechanism was never tested before, so I created a test for the S4 Connector as well. This has been merged and built on 05.06.20, the Ad Connector test ran successfully since then. code and tests look good, but a UMC logon changes the password for ad users with pwdLastSet==0 directly, without user interaction. The new password is equal to the old, just the "user must change password" stuff is gone. create ad user with "user must change password" DN: CN=win20,CN=Users,DC=autotestwin,DC=local primaryGroupID: 513 logonCount: 0 cn: win20 countryCode: 0 dSCorePropagationData: 16010101000000.0Z objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user userPrincipalName: win20@autotestwin.local instanceType: 4 distinguishedName: CN=win20,CN=Users,DC=autotestwin,DC=local sAMAccountType: 805306368 msDS-RevealedDSAs: CN=WIN-DUA7EARHMN9,OU=Domain Controllers,DC=autotestwin,DC=local msDS-RevealedDSAs: CN=WIN-DUA7EARHMN9,OU=Domain Controllers,DC=autotestwin,DC=local msDS-RevealedDSAs: CN=WIN-DUA7EARHMN9,OU=Domain Controllers,DC=autotestwin,DC=local msDS-RevealedDSAs: CN=WIN-DUA7EARHMN9,OU=Domain Controllers,DC=autotestwin,DC=local msDS-RevealedDSAs: CN=WIN-DUA7EARHMN9,OU=Domain Controllers,DC=autotestwin,DC=local objectSid: S-1-5-21-3635031200-1553950662-1512387333-1131 whenCreated: 20200608152801.0Z uSNCreated: 13388 badPasswordTime: 0 pwdLastSet: 0 sAMAccountName: win20 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=autotestwin,DC=local objectGUID: fac20751-ee9c-40d5-9896-b063e586cbd2 whenChanged: 20200608152811.0Z badPwdCount: 0 accountExpires: 9223372036854775807 displayName: win20 name: win20 codePage: 0 userAccountControl: 512 lastLogon: 0 uSNChanged: 13401 sn: win20 givenName: win20 lastLogoff: 0 # win20, users, autotest.local dn: uid=win20,cn=users,dc=autotest,dc=local cn: win20 win20 uid: win20 krb5PrincipalName: win20@AUTOTEST.LOCAL objectClass: krb5KDCEntry objectClass: person objectClass: automount objectClass: top objectClass: inetOrgPerson objectClass: krb5Principal objectClass: organizationalPerson objectClass: univentionPWHistory objectClass: univentionMail objectClass: univentionObject objectClass: shadowAccount objectClass: sambaSamAccount objectClass: posixAccount uidNumber: 2029 sambaAcctFlags: [U ] sambaPasswordHistory: FFFA3A741CDDE03EB5196462DA5F96DF4264E580C0ECBCCE051BEBD9AC3E700F sambaBadPasswordCount: 0 krb5MaxLife: 86400 sambaBadPasswordTime: 0 krb5MaxRenew: 604800 krb5KeyVersionNumber: 1 loginShell: /bin/bash univentionObjectType: users/user krb5KDCFlags: 126 gidNumber: 5001 sambaPrimaryGroupSID: S-1-5-21-116618959-3384392643-1313457844-513 displayName: win20 sambaSID: S-1-5-21-116618959-3384392643-1313457844-5058 gecos: win20 win20 sn: win20 pwhistory: $6$1j4tickuKZ3oJKvi$s31MPjUUEslJN8MZbrdUBWJ0pif4re3z1AaH592bm3ESYC/USDOlnPXMiplsHYG.cIO6R4Wk8FKeI5MyTMIgz1 homeDirectory: /home/win20 givenName: win20 krb5Key:: MB2hGzAZoAMCARehEgQQQKBViSnw+RcH28SeRCnX7Q== userPassword:: e0s1S0VZfQ== sambaNTPassword: 40A0558929F0F91707DBC49E4429D7ED sambaPwdLastSet: 0 krb5PasswordEnd: 20200608000000Z shadowMax: 1 shadowLastChange: 18419 looks good so far, and kinit -> kinit win20 (Univention.99) win20@AUTOTEST.LOCAL's Password: **** Your password will expire at Mon Jun 8 02:00:00 2020 Changing password New password: ok, but -> umc-command -U win20 -P Univention.99 08.06.20 17:30:14.387 DEBUG_INIT Response: COMMAND data length : 249 message length: 191 --- MIMETYPE : application/json STATUS : 403 MESSAGE : Verboten ERROR : {u'traceback': None, u'command': u'handle_request_command'} RESULT : {u'status': 403, u'headers': {u'Vary': u'Content-Language', u'Content-Language': u'de-DE'}, u'message': u'Verboten', u'result': None, u'error': {u'traceback': None, u'command': u'handle_request_command'}} auth.log Jun 8 17:30:14 admember python2.7: nss_ldap: reconnecting to LDAP server... Jun 8 17:30:14 admember python2.7: nss_ldap: reconnected to LDAP server ldap://admember.autotest.local:7389 after 1 attempt Jun 8 17:30:14 admember python2.7: pam_unix(univention-management-console:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=win20 Jun 8 17:30:14 admember kpasswdd[1390]: Changing password for win20@AUTOTEST.LOCAL Jun 8 17:30:14 admember python2.7: pam_krb5(univention-management-console:auth): user win20 authenticated as win20@AUTOTEST.LOCA no kinit with old password (Univention.99) works, Sound similar to Bug #43859, Bug #38082. So I suspect a bug in heimdal (or pam_krb5). I see the patches 4.2-0-0-ucs/1.6~rc2+dfsg-9-errata4.2-1/0200_krb5_get_init_creds_opt_set_change_password_prompt.* aren't part of our latest release anymore (because they are integrated upstream?!). Maybe anohter upstream change broke that behavior again. pam-krb5 set's the flag correctly: libpam-krb5/4.7-4/libpam-krb5-4.7/auth.c: 163 krb5_get_init_creds_opt_set_change_password_prompt(opts, 164 (config->defer_pwchange || config->fail_pwchange) ? 0 : 1); The debug output of PAM is: # PAM(1) SAML message: answer=u'Univention.99' PAM says: 'Password has expired' # PAM(4) Password has expired: answer='' PAM says: 'Your password will expire at Tue Jun 9 02:00:00 2020\n' # PAM(4) Your password will expire at Tue Jun 9 02:00:00 2020\n: answer='' PAM says: 'Changing password' # PAM(4) Changing password: answer='' # PAM(1) New password: answer=u'Univention.99' # PAM(1) Repeat new password: answer=u'Univention.99' PAM says: 'Success: Password changed\n' So, with the fix meantioned above pam shouldn't ask anymore to change the password! Because we are setting the flag defer_pwchange in /etc/pam.d/univention-management-console: auth sufficient pam_krb5.so use_first_pass defer_pwchange But I also see that we set force_pwchange in acct-mngmt (which could also be a reason?): account sufficient pam_krb5.so force_pwchange univention-s4-connector: There seems to be an issue with the s4 connector too. create samba user with pwdLastSet=0 -> samba-tool user create --must-change-at-next-login \ --use-username-as-cn sam3 Univention.99 Now UMC logon with password change (password to univention) - the pwdLastSet=0 sync to ucs was successful But, despite the password change to "univention" kinit still wants the old password, kinit sam3 -> univention => fails kinit sam3 -> Univention.90 => OK I created a new Bug for this "password overwriting issue" Bug #51462 This one only addresses the sync with S4/AD Connector. univention-s4-connector OK - YAML OK - pwdLastSet sync manual tests OK - Jenkins tests OK - ucs-test univention-ad-connector OK - YAML OK - sync of pwdChangeNextLogin OK - Jenkins tests OK - ucs-test so apart from Bug #51462 everything OK, still i will not set this bug verified, just in case Since this bug is blocked by Bug #51462, which needs a restart of the univention-management-console-server, we decided to release it with 4.4-5. I changed the Target Milestone accordingly I added dependencies for heimdal to univention-ad-connector and univention-s4-connector. We will restart the univention-management-console-server in the postinst. This way, we can release this feature during normal errata update without having to wait for the patch level release. OK - univention-ad-connector OK - connector ucs-test OK - manual tests OK - dependencies OK - yaml OK - univention-s4-connector OK - connector ucs-test OK - manual tests OK - dependencies OK - yaml |