Univention Bugzilla – Bug 39369
/usr/lib/univention-pam/lock-user sets HOME to /dev/null
Last modified: 2017-02-15 18:05:48 CET
Ticket #2015090921000712 The following traceback happens on a customer system: root@ucs:~# udm computers/ubuntu create --position "cn=computers,${ldap_base}" --set name=testubuntu121 --set password="testpassword" --set operatingSystem="Ubuntu" --set operatingSystemVersion="14.04" --set unixhome=/dev/null Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 222, in doit output = univention.admincli.admin.doit(arglist) File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 393, in doit out=_doit(arglist) File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 804, in _doit dn=object.create() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 352, in create return self._create() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 711, in _create al=self._ldap_addlist() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/computers/ubuntu.py", line 459, in _ldap_addlist krb_keys=univention.admin.password.krb5_asn1(self.krb5_principal(), self['password']) File "/usr/lib/pymodules/python2.7/univention/admin/password.py", line 93, in krb5_asn1 krb5_context = heimdal.context() Krb5Error: {'code': 20} The UDM CLI was started via /usr/lib/univention-pam/lock-user which is started via PAM and thus HOME is set to /dev/null which breaks the heimdal context.
My hotfix on the customer system was: --- /usr/lib/univention-pam/lock-user 2015-09-18 14:24:00.280570293 -0600 +++ /usr/lib/univention-pam/lock-user.orig 2015-09-18 14:23:42.036598664 -0600 @@ -59,7 +59,7 @@ exit 1 fi - HOME=/ univention-directory-manager users/user modify --binddn "$binddn" --bindpwd "$(cat $bindpw)" --logfile /dev/null --dn "$user_dn" --set locked=all + univention-directory-manager users/user modify --binddn "$binddn" --bindpwd "$(cat $bindpw)" --logfile /dev/null --dn "$user_dn" --set locked=all exit $? else
* univention-pam: r65128 errata4.0-3 * merged to 4.1-0 * YAML: 2015-11-03-univention-pam.yaml To reproduce this bug: * 4.0-3 master * auth/faillog/lock_global: yes * auth/faillog/lock_global: yes * create a user with HOME /dev/null * make sure univention-cli-server is NOT running * ssh login with the user with a wrong password (5 times) * user should be locked now * creating another user now fails (without the hotfix) udm users/user create --set username=test3 \ --set password=univention \ --set lastname=test3
Tests: OK Code review: OK YAML: OK
<http://errata.software-univention.de/ucs/4.0/360.html>