Bug 2144893

Summary: changing password with ldap_password_policy = shadow does not take effect immediately
Product: Red Hat Enterprise Linux 9 Reporter: Pavel Březina <pbrezina>
Component: sssdAssignee: Pavel Březina <pbrezina>
Status: CLOSED ERRATA QA Contact: Madhuri <mupadhye>
Severity: low Docs Contact:
Priority: low    
Version: 9.2CC: atikhono, mupadhye, pasik, pbrezina, pkettman, sgadekar
Target Milestone: rcKeywords: Regression, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.8.2-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 08:20:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pavel Březina 2022-11-22 16:26:52 UTC 
This is a bug in new feature implemented in https://bugzilla.redhat.com/show_bug.cgi?id=1507035

It does not show itself during manual testing, only during automation when there are two consecutive ssh login attempts.

First ssh login says the password is expired, the password is correctly changed.

The seconds login attempt however does not refresh the user record because it happened sooner then pam_id_timeout (default 5 seconds) and therefore sssd thinks that the user's password is still expired.

The successful password change should also update shadowLastUpdate in cache.

The bug can be reproduced with the new test framework: https://github.com/pbrezina/sssd-tests-poc
The test is:

@pytest.mark.topology(KnownTopology.LDAP)
def test_shadow(client: Client, ldap: LDAP):
    ldap.aci.add('(targetattr="userpassword")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///self";)')
    ldap.user('shadowuser1').add(
        shadowMin=0, shadowMax=99999, shadowWarning=7, shadowLastChange=0,
        password='Secret123'
    )

    # Disabling pam_id_timeout makes the test pass
    # client.sssd.pam['pam_id_timeout'] = '0'
    client.sssd.domain['ldap_pwd_policy'] = 'shadow'
    client.sssd.domain['ldap_chpass_update_last_change'] = 'True'
    client.sssd.start()

    assert client.auth.ssh.password_expired('shadowuser1', 'Secret123', 'Redhat@321')
    assert client.auth.ssh.password('shadowuser1', 'Redhat@321')
Comment 1 Alexey Tikhonov 2022-12-09 13:35:04 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6478
Comment 3 Alexey Tikhonov 2022-12-16 11:20:10 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6478

* `master`
    * 7e8b97c14b8ef218d6ea23214be28d25dba13886 - ldap: update shadow last change in sysdb as well
* `sssd-2-8`
    * d7da2966f5931bac3b17f42e251adbbb7e793619 - ldap: update shadow last change in sysdb as well
Comment 10 errata-xmlrpc 2023-05-09 08:20:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2514