Univention Bugzilla – Bug 43859
Changing expired password not possible with pam_krb5
Last modified: 2020-06-10 11:31:22 CEST
Please fix the test or fix the product or in case it is not so important disable the test case. http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-0/job/AutotestJoin/75/SambaVersion=s3,Systemrolle=master/testReport/ *** BEGIN *** ['/bin/bash', '07_expired_password'] *** *** 60_umc/07_expired_password *** Change of expired password at UMC logon (with password complexity) *** *** START TIME: 2017-03-14 15:58:22 *** info 2017-03-14 15:58:23 create user 0whx8mf6 Object created: uid=0whx8mf6,cn=users,dc=autotest090,dc=local ### Preparation: Activate pwQualityCheck in policies/pwhistory ## Note: non-Samba4 DCs require this to activate univention.password.Check (for check_cracklib.py) Object modified: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=autotest090,dc=local Create password/quality/credit/lower Create password/quality/credit/upper Create password/quality/credit/other Create password/quality/credit/digits ### Preparation: simulate password expiry Object modified: uid=0whx8mf6,cn=users,dc=autotest090,dc=local debug 2017-03-14 15:58:25 Waiting for replication... CRITICAL: no change of listener transaction id for last 0 checks (nid=12630 lid=12619) OK: replication complete (nid=12630 lid=12630) info 2017-03-14 15:58:27 replication complete. debug 2017-03-14 15:58:27 Waiting for postrun... ### Preparation: set fresh complex password via UMC login password change dialog error 2017-03-14 15:58:46 Unexpected output returned by UMC during password change: {"status": 401, "message": "The authentication has failed, please login again.", "location": "http://localhost/univention/auth"} error 2017-03-14 15:58:46 **************** Test failed above this line (110) **************** Unsetting password/quality/credit/lower Unsetting password/quality/credit/upper Unsetting password/quality/credit/other Unsetting password/quality/credit/digits LDAP Error: Invalid syntax: univentionPWQualityCheck: value #0 invalid per syntax info 2017-03-14 15:58:46 remove user 0whx8mf6 Object removed: uid=0whx8mf6,cn=users,dc=autotest090,dc=local debug 2017-03-14 15:58:46 user 0whx8mf6 removed info 2017-03-14 15:58:46 checking whether the user 0whx8mf6 is really removed debug 2017-03-14 15:58:47 user 0whx8mf6 does not exist *** END TIME: 2017-03-14 15:58:47 *** *** TEST DURATION (H:MM:SS.ms): 0:00:24.915371 *** *** END *** 110 ***
I guess this might be caused by Bug #36215.
The test case fails because of the new password is not complex enough.
(In reply to Florian Best from comment #2) > The test case fails because of the new password is not complex enough. No, this comment was wrong: * The test case never run under UCS 4.1-4 due to Bug #39382 * The test case contains errors such as parsing JSON as python which fails and treating HTTP "200 OK" responses as "401" if they contain a response body. → Fixed in: UCS 4.2-0 ucs-test (7.0.18-2): r77832 | Bug #43859: fix test case 07_expired_password UCS 4.1-4 ucs-test (6.0.37-60): r77834 | Bug #43859: fix test case 07_expired_password * The UMC-Server doesn't respond currently with "Your password is expired" and a password change is therefore not possible. This is because the PAM module pam_krb5 does NOT respond correctly with "PAM_SUCCESS" (but with "PAM_AUTH_ERR") in pam_sm_authenticate() but tries to change the password immediately and fails because no new password is entered and therefore pam_sm_acct_mgmt() is never called. → Similar to Bug #38082, I am currently unsure if that patch helps there, my local tests with that patch didn't help. UMC shows the prompts of pam_krb5 as following: PAM says: 'Your password will expire at Thu Jan 1 01:00:00 1970\n' PAM says: 'Changing password' PAM says: 'Error: Password does not meet complexity requirements\n' PAM: authentication error: ('Fehler bei Authentifizierung', 7)
As discussed, it seems to be no regression in UCS 4.2, so please move it to errata.
Move to UCS 4.2-0 errata. r17425 | fbest | 2017-03-23 13:19:37 +0100 (Do, 23. Mär 2017) | 2 Zeilen Bug #43859: revert patches heimdal 1.6~rc2+dfsg-9A~4.2.0.201703231320
Committed revision 17479. A patch has been found and merged Cherry picked package heimdal[81937] version 1.6~rc2+dfsg-9 from 4.2-0-0[78]/None[0] to 4.2[78]/errata4.2-0[452] heimdal.yaml: r78926 | YAML Bug #43859
svn: URL 'svn+ssh://build@billy.knut.univention.de/var/svn/patches/libpam-krb5' non-existent in that revision There are no patches for this package Cherry picked package libpam-krb5[83641] version 4.6-3 from 4.2-0-0[78]/None[0] to 4.2[78]/errata4.2-0[452]
With the current state pam_authenticate() and pam_acct_mgmt() seem to work very nice when adding 'defer_pwchange' to the PAM configuration. But changing the password still fails with: PAM.error: ('Authentication token is no longer valid; new one required', 12)
*** Bug 44539 has been marked as a duplicate of this bug. ***
I wrote 33 test cases, which cover different combination of posix and samba users: 18 of them are failing on Samba 4. 11 of them are failing on Samba 3. This seem to have to do with the stacking of the PAM modules in the account section.
*** Bug 38082 has been marked as a duplicate of this bug. ***
The problem lie in pam-krb5 and heimdal. 1. heimdal: The upstream patch from Bug #38082 has been applied. 2. pam-krb5: https://github.com/rra/pam-krb5/pull/8 patch has been applied. → Our /etc/krb5.conf contains proxiable = true in the "[libdefaults]" section. This is disabled in the patch. kpasswd could change the password because there the same is already done in the code: https://github.com/heimdal/heimdal/blob/master/kpasswd/kpasswd.c#L150 The patch is not reviewed upstream yet. ucs-test (7.0.21-24): r79070 | Bug #43859: Bug #41786: fix filename extension r79064 | Bug #43859: Bug #41786: add missing executable flag r79062 | Bug #43859: Bug #41786: add 60_umc/104_expired_password r77832 | Bug #43859: fix test case 07_expired_password libpam-krb5.yaml: r78991 | YAML Bug #43859 univention-management-console.yaml: r79015 | YAML Bug #44217 Bug #44450 Bug #43859 univention-management-console (9.0.80-11): r79087 | Bug #43859: change account 'required' back to 'sufficient' r79063 | Bug #43859: enable defer_pwchange for pam_krb5 authentication modules r79014 | Bug #43859: enable defer_pwchange for pam_krb5 authentication modules heimdal.yaml: r78926 | YAML Bug #43859 (In reply to Florian Best from comment #10) > I wrote 33 test cases, which cover different combination of posix and samba > users: > 18 of them are failing on Samba 4. > 11 of them are failing on Samba 3. > > This seem to have to do with the stacking of the PAM modules in the account > section. There are still a lot of failing cases, which I will disable, they are part of Bug #44582.
To reproduce this: udm users/user create --set username=test1 --set password=univention --set lastname=foo --set pwdChangeNextLogin=1 --set locked=posix Then login into UMC with test1. Expected result: A dialog to change the expired password is shown. Actual result: UMC tells "authentication failed".
fix: 4.6-3A~4.2.0.201705082217 apt-cache policy libpam-heimdal libpam-heimdal: Installiert: 4.6-3+b1 Installationskandidat: 4.6-3+b1 Versionstabelle: *** 4.6-3+b1 0 100 /var/lib/dpkg/status 4.6-3A~4.2.0.201705082217 0 500 http://192.168.0.10/build2/ ucs_4.2-0-errata4.2-0/amd64/ Packages 4.6-3A~4.2.0.201703231343 0 500 https://updates.software-univention.de/4.2/maintained/ 4.2-0/amd64/ Packages 4.6-1.22.201403250545 0 500 https://updates.software-univention.de/4.0/maintained/ 4.0-0/amd64/ Packages
I build the package with version 4.6-3+b1A~4.2.0.201706020740.
There are some tests failing on Samba4. These are mainly two different cases: * a user with all options can't change his password. I marked the test as XFAIL. * a user with only kerberos and posix option can't change his password. I don't think it's a regression. ucs-test (7.0.21-32): r80007 | Bug #43859: xfail current failing tests
(In reply to Florian Best from comment #16) > There are some tests failing on Samba4. These are mainly two different cases: > * a user with all options can't change his password. I marked the test as > XFAIL. > * a user with only kerberos and posix option can't change his password. > I don't think it's a regression. > > ucs-test (7.0.21-32): > r80007 | Bug #43859: xfail current failing tests We found the reason for the failing tests: * missing wait_for_connection_replication() * Bug #43524 ucs-test (7.0.21-33): r80008 | Bug #43859: wait for s4-connector replication
OK - libpam-krb5.yaml OK - heimdal.yaml OK - univention-management-console.yaml OK - password change via UMC OK - password change via UMC (s4) OK - ucs-test TODO jenkins
The new password tests still fail, http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-0/job/AutotestJoin/lastCompletedBuild/testReport/ but as discussed i created Bug #44744 for that.
Mismatching binary package version: 4.6-3+b1A~4.2.0.201706020740 != libpam-heimdal 4.6-3+b1 from libpam-krb5 4.6-3
(In reply to Janek Walkenhorst from comment #20) > Mismatching binary package version: 4.6-3+b1A~4.2.0.201706020740 != > libpam-heimdal 4.6-3+b1 from libpam-krb5 4.6-3 The version is correct in the YAML: $ apt-cache policy libpam-heimdal libpam-heimdal: Installiert: 4.6-3+b1A~4.2.0.201706020740 Installationskandidat: 4.6-3+b1A~4.2.0.201706020740 Versionstabelle: *** 4.6-3+b1A~4.2.0.201706020740 0 500 http://omar.knut.univention.de/build2/ ucs_4.2-0-errata4.2-0/amd64/ Packages 100 /var/lib/dpkg/status 4.6-3A~4.2.0.201703231343 0 500 https://updates.software-univention.de/4.2/maintained/ 4.2-0/amd64/ Packages 4.6-1.22.201403250545 0 500 https://updates.software-univention.de/4.0/maintained/ 4.0-0/amd64/ Packages $ git grep 4.6-3+b1A~4.2.0.201706020740 libpam-krb5.yaml:fix: 4.6-3+b1A~4.2.0.201706020740
OK - errata tests
<http://errata.software-univention.de/ucs/4.2/32.html> <http://errata.software-univention.de/ucs/4.2/34.html> <http://errata.software-univention.de/ucs/4.2/40.html>
It has been fixed upstream: https://github.com/rra/pam-krb5/commit/bf8f521d785036082425e052b290363af94ba6c5