Bug 1375133 - WinSync users who have First.Last casing creates users who can have their password set
Summary: WinSync users who have First.Last casing creates users who can have their pas...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Sudhir Menon
Marc Muehlfeld
URL:
Whiteboard:
Keywords: Regression, ZStream
Depends On:
Blocks: 1389350
TreeView+ depends on / blocked
 
Reported: 2016-09-12 09:00 UTC by Sudhir Menon
Modified: 2017-08-01 09:39 UTC (History)
8 users (show)

(edit)
The "ipa passwd" command fails when using uppercase or mixed case user names

Identity Management (IdM) 4.4.0 introduced unified handling of user principals in all commands. However, some commands were not fully converted. As a consequence, the "ipa passwd" command fails when you use uppercase or mixed case letters in user names. To work around this issue, use only lower case letters in user names when using the "ipa passwd" command.
Clone Of:
: 1389350 (view as bug list)
(edit)
Last Closed: 2017-08-01 09:39:54 UTC


Attachments (Terms of Use)
Output (8.26 KB, text/plain)
2016-09-12 09:00 UTC, Sudhir Menon
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Sudhir Menon 2016-09-12 09:00:09 UTC
Created attachment 1200105 [details]
Output

Description of problem: WinSync users who have First.Last casing creates users who can have their password set 


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-10.el7.x86_64
ipa-server-trust-ad-4.4.0-10.el7.x86_64

How reproducible:Always


Steps to Reproduce:
1. Establish winsync trust with windows system
2. Now add user First.Last on windows
3. Ensure the user is synced to IPA
4. Now change the password of the user in Windows and ensure Password is True in ipa user-show command for the user
5. Now change the password on IPA for the user First.Last


Actual results:
[root@master ~]# ipa passwd First.Last
New Password: 
Enter New Password again to verify: 
ipa: ERROR: no matching entry found


Expected results: The password change should work.

Additional info: Related to bz824490
Attaching the automation logs for RHEL7.1/RHEL7.2 where the test passes whereas for RHEL7.3 it fails without any change in automation code.

Comment 3 Martin Babinsky 2016-09-13 13:53:23 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6329

Comment 8 Alexander Bokovoy 2016-10-07 08:02:02 UTC
I've added 'mixed case' in two places. Otherwise it is good.

Comment 13 Sudhir Menon 2017-05-17 10:42:41 UTC
Tested on RHEL7.4 using

ipa-server-4.5.0-11.el7.x86_64
sssd-1.15.2-29.el7.x86_64
krb5-server-1.15.1-8.el7.x86_64
pki-ca-10.4.1-4.el7.noarch
selinux-policy-3.13.1-148.el7.noarch

1. Created user First.Last on AD

2. [root@master ~]# ipa user-show First.Last
  User login: first.last
  First name: First
  Last name: Last
  Home directory: /home/first.last
  Login shell: /bin/sh
  Principal alias: first.last@TESTRELM.TEST
  UID: 365200025
  GID: 365200025
  Account disabled: False
  Password: True
  Kerberos keys available: True
 
3. [root@master ~]# echo **** | kinit first.last
Password for first.last@TESTRELM.TEST:
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
first.last@TESTRELM.TEST       KEYRING:persistent:0:krb_ccache_WlO1kcG
admin@TESTRELM.TEST            KEYRING:persistent:0:krb_ccache_EHMBwmY
 
[root@master ~]# sleep 10; kdestroy -A
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
[root@master ~]# echo **** | kinit admin
Password for admin@TESTRELM.TEST:
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
admin@TESTRELM.TEST            KEYRING:persistent:0:krb_ccache_WlO1kcG
 
[root@master ~]# echo **** | ipa passwd First.Last
-----------------------------------------------
Changed password for "first.last@TESTRELM.TEST"
-----------------------------------------------
[root@master ~]# echo $?
0
 
[root@master ~]# kdestroy -A
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
 
[root@master ~]# echo -e "***\n*****\n*****" | kinit -V first.last
Using default cache: persistent:0:krb_ccache_WlO1kcG
Using principal: first.last@TESTRELM.TEST
Password for first.last@TESTRELM.TEST:
Password expired.  You must change it now.
Enter new password:
Enter it again:
Authenticated to Kerberos v5
 
[root@master ~]# ipa user-show First.Last
  User login: first.last
  First name: First
  Last name: Last
  Home directory: /home/first.last
  Login shell: /bin/sh
  Principal alias: first.last@TESTRELM.TEST
  UID: 365200025
  GID: 365200025
  Account disabled: False
  Password: True
  Kerberos keys available: True
 
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
first.last@TESTRELM.TEST       KEYRING:persistent:0:krb_ccache_WlO1kcG
 
 
[root@master ~]# ssh -o StrictHostKeyChecking=no -l first.last master.testrelm.test
Could not chdir to home directory /home/first.last: No such file or directory
-sh-4.2$ whoami
first.last
-sh-4.2$ id
uid=365200025(first.last) gid=365200025(first.last) groups=365200025(first.last) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Comment 14 errata-xmlrpc 2017-08-01 09:39:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.