Univention Bugzilla – Bug 41865
Kerberos auth fails due to expired keys when maxPwdAge setting is too large (713239 days)
Last modified: 2018-02-14 13:31:31 CET
Ticket#2016071121000755 reported a case where Kerberos authentication failed for all users, claiming password expiry. After a lot of digging we finally found "samba-tool domain passwordsettings show" reported: Maximum password age (days): 10675199 But the tool itself denies setting this value: root@master10:~# samba-tool domain passwordsettings set --max=10675199 ERROR: Maximum password age must be in the range of 0 to 999! Apparently the value has been set via UMC LDAP by navigating to the objectclass=sambadomain object located below cn=samba,$ldap_base and adjusting the Maximum password age there to: sambaMaxPwdAge: 922337203685 # seconds This setting results in authentication failure due to "expired" password: Administrator@AR41I1.QA's Password: kinit: krb5_get_init_creds: No ENC-TS found (see Bug #41617) Setting this to a lower value, e.g. 713238 days results in this strange message: Administrator@AR41I1.QA's Password: Your password will expire at Thu Jan 1 01:00:00 1970 I would recommend that the UMC (or an UDM syntax) should restrict the value of sambaMaxPwdAge to be smaller than or equal to 999 days. That's the limit that samba-tool and MS GPOs allow, see link in URL field above. ============================================================================= Irrelevant nerdy details: Starting with a sambaMaxPwdAge of 61623794715 seconds, the kinit fails (today) for my Administrator testaccount which has pwdLastSet: 130927652850000000 Btw. sambaMaxPwdAge of 61623794715 seconds is synchronized to the Samba/AD domain base as maxPwdAge: -616237947150000000, yes, the minus is "normal". I have no clue what limit is overflowing here. I bet you are curious when that strange warning about 1970 appears? That starts to appear at sambaMaxPwdAge of 59488159515 seconds. Lower than that value, kerberos authentication worked without any warning in my test case. I have no plans to narrow this down to the minimal AD precision of 100 nanoseconds. The difference between "warning" value and "failure" value is 24718 days. =============================================================================
Created attachment 8007 [details] udm: set bounds on {min,max}PasswordAge This patch adds new classes in univention-directory-manager-modules/modules/univention/admin/syntax.py to restrict the possible values for {min,max}PasswordAge. # udm settings/sambadomain modify --set minPasswordAge=86227201 --dn=... Invalid syntax: Minimum password age: Value out of bounds (0 - 86227200 seconds) # udm settings/sambadomain modify --set maxPasswordAge=86313601 --dn=... Invalid syntax: Maximum password age: Value out of bounds (0 - 86313600 seconds)
Happened again with maxPasswordAge: 922337203685 days
As Lukas is not here anymore, please you apply his patch. Make an auto-PEP8 prior to that please. If you want we can also switch the Asignee-QA roles.
b458cf5bdc | Bug #41865: New syntax to restrict sambaMaxPwdAge and sambaMinPwdAge 69104893e0 | Bug #41865: Advisory
It's not possible to remove a currently set value anymore.
Created attachment 9307 [details] patch My current patch would be this. I will apply it monday.
Applied the patch, merged to UCS 4.3, adjusted the YAML file.
Ok, works, I could remove a previously set excessively large value.
<http://errata.software-univention.de/ucs/4.2/287.html>