Univention Bugzilla – Bug 35985
Change of expired password via UMC not possible anymore
Last modified: 2015-03-06 12:25:17 CET
The request for changing the password fails with the following response: {"status": "411 Length Required", "message": "Current Kerberos password: "} The "message" is the prompt from PAM which was unanswered. Seems something changed in the format in UCS 4. The UMC only displays: Authentifizierungsfehler Das System erlaubt das Ändern des Passwortes nicht. Der Grund konnte nicht festgestellt werden.
/var/log/auth.log says: Oct 22 07:26:27 master3 python: pam_unix(univention-management-console:account): expired password for user disabled (password aged) Oct 22 07:26:31 master3 python: pam_unix(univention-management-console:account): expired password for user disabled (password aged) Oct 22 07:26:31 master3 python: pam_unix(univention-management-console:chauthtok): unrecognized option [min=4] Oct 22 07:26:31 master3 python: pam_unix(univention-management-console:chauthtok): unrecognized option [max=32] Oct 22 07:26:31 master3 python: pam_unix(univention-management-console:chauthtok): user "disabled" does not exist in /etc/passwd Oct 22 07:26:31 master3 python: pam_unix(univention-management-console:chauthtok): unrecognized option [min=4] Oct 22 07:26:31 master3 python: pam_unix(univention-management-console:chauthtok): unrecognized option [max=32] Oct 22 07:26:31 master3 python: pam_unix(univention-management-console:chauthtok): user "disabled" does not exist in /etc/passwd
In /etc/pam.d/univention-management-console is a option min=4 max=32. The manpage of pam_unix tells nothing about these options. There is only "minlen" but nothing for "max". I guess we don't need this for local users, so we can remove those. After removing pam still fails to change the expired password → PAM thinks that the user is a local user and can't find it in /etc/passwd → why doesn't pam detect that it is a LDAP user?
(In reply to Florian Best from comment #2) > In /etc/pam.d/univention-management-console is a option min=4 max=32. > The manpage of pam_unix tells nothing about these options. There is only > "minlen" but nothing for "max". I guess we don't need this for local users, > so we can remove those. After removing pam still fails to change the expired > password → PAM thinks that the user is a local user and can't find it in > /etc/passwd → why doesn't pam detect that it is a LDAP user? If I remember it correctly, the user is found via getent passwd. Some time ago we added the host authentication data to libnss-ldap.conf and now getent shadow returns the userPassword as well. But I'm not complete sure if that is the reason for the problem. Here on my test system I was able to change the password via UMC login.
I this case /usr/share/univention-directory-manager-tools/lock_expired_passwords should also be considered. It locks the user password if the password expired. Nevertheless, if I add debug to pam_krb5, I see this Oct 23 07:02:16 master701 python2.7: pam_unix(univention-management-console:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=stefan Oct 23 07:02:16 master701 python2.7: pam_krb5(univention-management-console:auth): pam_sm_authenticate: entry Oct 23 07:02:16 master701 python2.7: pam_krb5(univention-management-console:auth): (user stefan) attempting authentication as stefan@DEADLOCK70.INTRANET Oct 23 07:02:16 master701 nscd: nss_ldap: reconnecting to LDAP server... Oct 23 07:02:16 master701 nscd: nss_ldap: reconnected to LDAP server ldap://master701.deadlock70.intranet:7389 after 1 attempt Oct 23 07:02:16 master701 python2.7: pam_krb5(univention-management-console:auth): (user stefan) krb5_get_init_creds_password: Generic error (see e-text) Oct 23 07:02:16 master701 python2.7: pam_krb5(univention-management-console:auth): authentication failure; logname=stefan uid=0 euid=0 tty= ruser= rhost= Oct 23 07:02:16 master701 python2.7: pam_krb5(univention-management-console:auth): pam_sm_authenticate: exit (failure) It is similar to root@master701:~# kinit stefan stefan@DEADLOCK70.INTRANET's Password: kinit: krb5_get_init_creds: Password has expired root@master701:~# So, I think UMC should recognize the pam_krb5 return. If I add a user in 3.2 expire the password for this user and lock the user for POSIX, I could reproduce the behavior.
We should also check the pam_krb5 options for defer_pwchange, fail_pwchange and force_pwchange.
To make it a little bit more complicated it seems to depend on the kerberos server. Most tests work for me fine if I use the Samba 4 kerberos server.
Fixed in svn55018.
Ok, works and changelog is ok. Testcase: 60_umc/07_expired_password
See Bug 36319 Comment 1 for details.
UCS 4.0-0 has been released: http://docs.univention.de/release-notes-4.0-0-en.html http://docs.univention.de/release-notes-4.0-0-de.html If this error occurs again, please use "Clone This Bug".