Bug 1375133

Summary: WinSync users who have First.Last casing creates users who can have their password set
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Sudhir Menon <sumenon>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.3CC: abokovoy, ipa-qe, jreznik, mbabinsk, nsoman, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.4.0-13.el7 Doc Type: Known Issue
Doc Text:
The "ipa passwd" command fails when using uppercase or mixed case user names Identity Management (IdM) 4.4.0 introduced unified handling of user principals in all commands. However, some commands were not fully converted. As a consequence, the "ipa passwd" command fails when you use uppercase or mixed case letters in user names. To work around this issue, use only lower case letters in user names when using the "ipa passwd" command.
 Story Points: ---
Clone Of:
: 1389350 (view as bug list) Environment:
Last Closed: 2017-08-01 09:39:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1389350    
Attachments:
Description Flags
Output none

Description Sudhir Menon 2016-09-12 09:00:09 UTC 
Created attachment 1200105 [details]
Output

Description of problem: WinSync users who have First.Last casing creates users who can have their password set 


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-10.el7.x86_64
ipa-server-trust-ad-4.4.0-10.el7.x86_64

How reproducible:Always


Steps to Reproduce:
1. Establish winsync trust with windows system
2. Now add user First.Last on windows
3. Ensure the user is synced to IPA
4. Now change the password of the user in Windows and ensure Password is True in ipa user-show command for the user
5. Now change the password on IPA for the user First.Last


Actual results:
[root@master ~]# ipa passwd First.Last
New Password: 
Enter New Password again to verify: 
ipa: ERROR: no matching entry found


Expected results: The password change should work.

Additional info: Related to bz824490
Attaching the automation logs for RHEL7.1/RHEL7.2 where the test passes whereas for RHEL7.3 it fails without any change in automation code.
Comment 3 Martin Babinsky 2016-09-13 13:53:23 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6329
Comment 5 Martin Babinsky 2016-09-14 11:10:19 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f3f9087ee8d1b1531730cf1e91fe404092e8c81d
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/0fe08fdce78b8a26cae1ad238cfea20fe86b8332
Comment 8 Alexander Bokovoy 2016-10-07 08:02:02 UTC 
I've added 'mixed case' in two places. Otherwise it is good.
Comment 13 Sudhir Menon 2017-05-17 10:42:41 UTC 
Tested on RHEL7.4 using

ipa-server-4.5.0-11.el7.x86_64
sssd-1.15.2-29.el7.x86_64
krb5-server-1.15.1-8.el7.x86_64
pki-ca-10.4.1-4.el7.noarch
selinux-policy-3.13.1-148.el7.noarch

1. Created user First.Last on AD

2. [root@master ~]# ipa user-show First.Last
  User login: first.last
  First name: First
  Last name: Last
  Home directory: /home/first.last
  Login shell: /bin/sh
  Principal alias: first.last
  UID: 365200025
  GID: 365200025
  Account disabled: False
  Password: True
  Kerberos keys available: True
 
3. [root@master ~]# echo **** | kinit first.last
Password for first.last:
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
first.last       KEYRING:persistent:0:krb_ccache_WlO1kcG
admin            KEYRING:persistent:0:krb_ccache_EHMBwmY
 
[root@master ~]# sleep 10; kdestroy -A
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
[root@master ~]# echo **** | kinit admin
Password for admin:
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
admin            KEYRING:persistent:0:krb_ccache_WlO1kcG
 
[root@master ~]# echo **** | ipa passwd First.Last
-----------------------------------------------
Changed password for "first.last"
-----------------------------------------------
[root@master ~]# echo $?
0
 
[root@master ~]# kdestroy -A
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
 
[root@master ~]# echo -e "***\n*****\n*****" | kinit -V first.last
Using default cache: persistent:0:krb_ccache_WlO1kcG
Using principal: first.last
Password for first.last:
Password expired.  You must change it now.
Enter new password:
Enter it again:
Authenticated to Kerberos v5
 
[root@master ~]# ipa user-show First.Last
  User login: first.last
  First name: First
  Last name: Last
  Home directory: /home/first.last
  Login shell: /bin/sh
  Principal alias: first.last
  UID: 365200025
  GID: 365200025
  Account disabled: False
  Password: True
  Kerberos keys available: True
 
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
first.last       KEYRING:persistent:0:krb_ccache_WlO1kcG
 
 
[root@master ~]# ssh -o StrictHostKeyChecking=no -l first.last master.testrelm.test
Could not chdir to home directory /home/first.last: No such file or directory
-sh-4.2$ whoami
first.last
-sh-4.2$ id
uid=365200025(first.last) gid=365200025(first.last) groups=365200025(first.last) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Comment 14 errata-xmlrpc 2017-08-01 09:39:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304