Bug 824490

Summary: WinSync users who have First.Last casing creates users who can have their password set
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.3CC: jgalipea, mkosek, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: Identity Managements enforces lowercase for all user names (uid). Some operations like password change may fail when there is a user with non-lowercase user name. However, a winsync agremeent with Active Directory may replicate such user into Identity Management database. Consequence: Identity Management Administrator cannot change or reset password of such user. Fix: Identity Management winsync plugin now always convert both user name and Kerberos principal user part to lower case. Result: Administrator can now change password also for users replicated from Active Directory via winsync agreement which do not have lowercase user name.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:13:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2012-05-23 15:20:05 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2756

Due to the normally lowercase enforcement of uids, FreeIPA can't properly set the password for a user who was imported via a WinSync agreement. The code tries to search for a lowercase user.name and yields none resulting in:

 ipa passwd First.Last
 New Password: 
 Enter New Password again to verify: 
 Not Found
Comment 1 Martin Kosek 2012-05-25 07:50:12 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/74293426d9b88dad1fffa1762d2be83b1eb45d02

User name in uid attribute and krbPrincipalName is now put to lower case and thus a password can be set for that user.
Comment 3 Steeve Goveas 2013-01-17 15:29:58 UTC 
[root@dell-pe1950-03 ~]# ldapsearch -x -ZZ -h squab.adrelm.com -D "CN=Administrator,CN=Users,DC=adrelm,DC=com" -w Secret123 -b "CN=First Last,CN=users,DC=adrelm,DC=com" 
# extended LDIF
#
# LDAPv3
# base <CN=First Last,CN=users,DC=adrelm,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# First Last, Users, adrelm.com
dn: CN=First Last,CN=Users,DC=adrelm,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: First Last
sn: Last
givenName: First
distinguishedName: CN=First Last,CN=Users,DC=adrelm,DC=com
instanceType: 4
whenCreated: 20130117151241.0Z
whenChanged: 20130117151308.0Z
displayName: First Last
uSNCreated: 446609
uSNChanged: 446615
name: First Last
objectGUID:: i1VUl3NYpU222rYTlSTNtg==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130029091615312500
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAiFnzZEqY6qC0I54HyAYAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: First.Last
sAMAccountType: 805306368
userPrincipalName: First.Last
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=adrelm,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130029091888437500

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

[root@dell-pe1950-03 ~]# ipa user-find First.Last
--------------
  Login shell: /bin/sh
  UID: 555000011
  GID: 555000011
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------

[root@dell-pe1950-03 ~]# ipa passwd First.Last
New Password: 
Enter New Password again to verify: 
----------------------------------------------
Changed password for "first.last"
----------------------------------------------

[root@dell-pe1950-03 ~]# ssh -l first.last dell-pe1950-03.testrelm.com
first.last.com's password: 
Password expired. Change your password now.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user first.last.
Current Password: 
New password: 
BAD PASSWORD: is too similar to the old one
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
Connection to dell-pe1950-03.testrelm.com closed.
[root@dell-pe1950-03 ~]#

Verified in version ipa-server-3.0.0-8.el6.x86_64
Comment 5 errata-xmlrpc 2013-02-21 09:13:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html