Univention Bugzilla – Bug 41786
Detection why password changing fails isn't working anymore
Last modified: 2020-06-22 18:13:45 CEST
Currently UMC doesn't respond correctly if password changing fails. UMC displays: Passwort ändern fehlgeschlagen. Der Grund konnte nicht festgestellt werden. Für den Fall, dass es hilft, hier die originale Fehlernachricht: Errorcode 20: Stellen Sie sicher, dass der Kerberos-Dienst läuft oder informieren Sie einen Administrator. With debug/level=4 the UMC reveals the following information: #### Changing password of user 's6139' PAM says: 'Schlechtes Passwort: Es ist zu kurz' PAM says: 'Schlechtes Passwort: ist zu einfach' PAM says: ': Password too short, password must be at least 6 characters long.' Changing password failed (('Fehler beim ?ndern des Authentifizierungstoken', 20)). Prompts: [('Current Kerberos password: ', 1), ('Geben Sie ein neues Passwort ein: ', 1), ('Schlechtes Passwort: Es ist zu kurz', 3), ('Schlechtes Passwort: ist zu einfach', 3), ('Geben Sie das neue Passwort erneut ein: ', 1), (': Password too short, password must be at least 6 characters long.', 3)] ####
The problem is that the output of pam_krb5 changed. We are parsing raw strings.
Created attachment 7799 [details] Screenshot Hm, the screenshot shows more information. Nevertheless we should integrate the missing/changed prompts so that a more human-readable message is shown again. And we should write a test case which covers every case (too-short, too-simple, kerberos (samba / ad), unix).
': Password too short, password must be at least 6 characters long.' ': Password too short, password must be at least 8 characters long.' ': Password does not meet complexity requirements' 'Schlechtes Passwort: Es basiert auf einem (umgekehrten) W?rterbucheintrag' 'Schlechtes Passwort: Es basiert auf einem W?rterbucheintrag' 'Schlechtes Passwort: Es ist VIEL zu kurz' 'Schlechtes Passwort: Es ist zu kurz' 'Schlechtes Passwort: ist dem alten zu ?hnlich' 'Schlechtes Passwort: ist ein Palindrome' 'Schlechtes Passwort: ist zu einfach' 'Schlechtes Passwort: wurde gedreht' 'Unable to reach any changepw server in realm FOO.BAR'
01.02.17 11:57:05.827 AUTH ( INFO ) : PAM says: 'Your password will expire at Thu Jan 1 01:00:00 1970\n' 01.02.17 11:57:05.827 AUTH ( INFO ) : PAM says: 'Changing password' 01.02.17 11:57:05.870 AUTH ( INFO ) : PAM says: 'Error: Password does not meet complexity requirements\n'
This causes that the UMC displays a error message instead of changing/prompting for a new password.
This bug affects also the Self-Service "password change" functionality, as it uses the UMC to change the password.
# grep account /etc/pam.d/univention-management-console → reveals that we do pam_acct_mgmt with pam_unix.so, pam_ldap.so, pam_krb5.so # dpkg -S pam_unix.so pam_krb5.so pam_ldap.so libpam-modules:amd64: /lib/x86_64-linux-gnu/security/pam_unix.so libpam-heimdal:amd64: /lib/x86_64-linux-gnu/security/pam_krb5.so libpam-ldap:amd64: /lib/x86_64-linux-gnu/security/pam_ldap.so # ucr set repository/online/sources=yes # apt-get source libpam-ldap libpam-heimdal libpam-modules The strings for pam_unix are translated via gettext, they can be found via: rgrep '_("' pam-* The german translations are in pam-*/po/de.po. → We should find a way to run PAM with locale C instead of the system locale so that this also works with a french UCS system. The strings for pam_ldap can be extracted via (they seem untranslated): # tar xvzf libpam-ldap-*/*tar.gz # grep -A15 const.*policy_error_table pam_ldap-*/pam_ldap.c # grep -C4 _conv_sendmsg pam_ldap-*/pam_ldap.c | grep '"' The strings for pam_krb5 can be extracted via: # rgrep -C4 pamk5_conv libpam-krb5-*/ | grep '"' → This seems to be incomplete as pam_krb5 speaks with another library (heimdal-kdc) # apt-get source heimdal-kdc # rgrep 'N_(' heimdal-*/lib/krb5/changepw.c → This seems to be again incomplete as change_password_loop connects with a kerberos server. → The kerberos server can probably be Samba OR Active Directory - if the UCS system is configured as AD Member?! → So we must also collect the error messages from both of these components. How to do this?
Active Directory can be ignored as long as Bug #38082 is not fixed. Samba4 KDC: # apt-get source samba # rgrep -A6 reject_string samba-*/source4/kdc/ | grep '"' Heimdal: (/usr/lib/heimdal-servers/kpasswdd) → uses kadm5_check_password_quality() AND error messages from UDM! # grep -C3 reply_priv heimdal-*/kpasswd/kpasswdd.c | grep '"' # grep '"' heimdal-*/lib/kadm5/password_quality.c What about Samba3?
I extracted the following error messages: Samba 4 KDC: "Password too short, password must be at least %d characters long." "Password too short" "Password does not meet complexity requirements" "Password is already in password history. New password must not match any of your %d previous passwords." "Password is already in password history" "Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed." pam_unix: "Bad: new password must be different than the old one" "Bad: new password cannot be a palindrome" "Bad: new and old password must differ by more than just case" "Bad: new and old password are too similar" "Bad: new password is too simple" "Bad: new password is just a wrapped version of the old one" "You must choose a longer password" "Password has been already used. Choose another." "You must wait longer to change your password" "is the same as the old one" "is a palindrome" "case changes only" "is too similar to the old one" "is too simple" "is rotated" "not enough character classes" "contains too many same characters consecutively" "contains too long of a monotonic character sequence" "contains the user name in some form" "Password has been already used. Choose another." "Password has been already used." pam_ldap: "Insufficient Password Quality", "Password Too Short", "Password Too Young", "Password Insufficient" pam_krb5: "Unable to reach any changepw server in realm %s" Heimal KDC: "Password already used" "Password is too short" "The passwort didn't pass quality check" "Password too short" "Password doesn't meet complexity requirement.\n" "Add more characters from at least %d of the\nfollowing classes:\n" "1. English uppercase characters (A through Z)\n" "2. English lowercase characters (a through z)\n" "3. Base 10 digits (0 through 9)\n" "4. Nonalphanumeric characters (e.g., !, $, #, %%)"
ucs-test (7.0.21-22): r79244 | Bug #41786: error message differs for samba4 / plain heimdal r79239 | Bug #41786: fix error message r79070 | Bug #43859: Bug #41786: fix filename extension r79064 | Bug #43859: Bug #41786: add missing executable flag r79062 | Bug #43859: Bug #41786: add 60_umc/104_expired_password r78992 | Bug #41786: add missing trailing dot univention-management-console.yaml: r78976 | Bug #41786: parse more PAM error messages when changing password fails univention-management-console (9.0.80-11): r79243 | Bug #41786: use the language of the currently logged in user r79238 | Bug #41786: fix duplicated groupdict r78976 | Bug #41786: parse more PAM error messages when changing password fails
OK - the reason for the failed password change is displayed in UMC (although in english -> Bug #Univention) OK - univention-management-console.yaml
<http://errata.software-univention.de/ucs/4.2/40.html>
*** Bug 45102 has been marked as a duplicate of this bug. ***
*** Bug 44584 has been marked as a duplicate of this bug. ***