1375133 – WinSync users who have First.Last casing creates users who can have their password set

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1375133 - WinSync users who have First.Last casing creates users who can have their password set

Summary: WinSync users who have First.Last casing creates users who can have their pas...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Sudhir Menon
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:	1389350
TreeView+	depends on / blocked

Reported:	2016-09-12 09:00 UTC by Sudhir Menon
Modified:	2017-08-01 09:39 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ipa-4.4.0-13.el7
Doc Type:	Known Issue
Doc Text:	The "ipa passwd" command fails when using uppercase or mixed case user names Identity Management (IdM) 4.4.0 introduced unified handling of user principals in all commands. However, some commands were not fully converted. As a consequence, the "ipa passwd" command fails when you use uppercase or mixed case letters in user names. To work around this issue, use only lower case letters in user names when using the "ipa passwd" command.
Clone Of:
Clones:	1389350 (view as bug list)
Environment:
Last Closed:	2017-08-01 09:39:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Output (8.26 KB, text/plain) 2016-09-12 09:00 UTC, Sudhir Menon	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2304	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2017-08-01 12:41:35 UTC

Description Sudhir Menon 2016-09-12 09:00:09 UTC

Created attachment 1200105 [details]
Output

Description of problem: WinSync users who have First.Last casing creates users who can have their password set 


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-10.el7.x86_64
ipa-server-trust-ad-4.4.0-10.el7.x86_64

How reproducible:Always


Steps to Reproduce:
1. Establish winsync trust with windows system
2. Now add user First.Last on windows
3. Ensure the user is synced to IPA
4. Now change the password of the user in Windows and ensure Password is True in ipa user-show command for the user
5. Now change the password on IPA for the user First.Last


Actual results:
[root@master ~]# ipa passwd First.Last
New Password: 
Enter New Password again to verify: 
ipa: ERROR: no matching entry found


Expected results: The password change should work.

Additional info: Related to bz824490
Attaching the automation logs for RHEL7.1/RHEL7.2 where the test passes whereas for RHEL7.3 it fails without any change in automation code.

Comment 3 Martin Babinsky 2016-09-13 13:53:23 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6329

Comment 5 Martin Babinsky 2016-09-14 11:10:19 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f3f9087ee8d1b1531730cf1e91fe404092e8c81d
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/0fe08fdce78b8a26cae1ad238cfea20fe86b8332

Comment 8 Alexander Bokovoy 2016-10-07 08:02:02 UTC

I've added 'mixed case' in two places. Otherwise it is good.

Comment 13 Sudhir Menon 2017-05-17 10:42:41 UTC

Tested on RHEL7.4 using

ipa-server-4.5.0-11.el7.x86_64
sssd-1.15.2-29.el7.x86_64
krb5-server-1.15.1-8.el7.x86_64
pki-ca-10.4.1-4.el7.noarch
selinux-policy-3.13.1-148.el7.noarch

1. Created user First.Last on AD

2. [root@master ~]# ipa user-show First.Last
  User login: first.last
  First name: First
  Last name: Last
  Home directory: /home/first.last
  Login shell: /bin/sh
  Principal alias: first.last
  UID: 365200025
  GID: 365200025
  Account disabled: False
  Password: True
  Kerberos keys available: True
 
3. [root@master ~]# echo **** | kinit first.last
Password for first.last:
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
first.last       KEYRING:persistent:0:krb_ccache_WlO1kcG
admin            KEYRING:persistent:0:krb_ccache_EHMBwmY
 
[root@master ~]# sleep 10; kdestroy -A
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
[root@master ~]# echo **** | kinit admin
Password for admin:
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
admin            KEYRING:persistent:0:krb_ccache_WlO1kcG
 
[root@master ~]# echo **** | ipa passwd First.Last
-----------------------------------------------
Changed password for "first.last"
-----------------------------------------------
[root@master ~]# echo $?
0
 
[root@master ~]# kdestroy -A
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
 
[root@master ~]# echo -e "***\n*****\n*****" | kinit -V first.last
Using default cache: persistent:0:krb_ccache_WlO1kcG
Using principal: first.last
Password for first.last:
Password expired.  You must change it now.
Enter new password:
Enter it again:
Authenticated to Kerberos v5
 
[root@master ~]# ipa user-show First.Last
  User login: first.last
  First name: First
  Last name: Last
  Home directory: /home/first.last
  Login shell: /bin/sh
  Principal alias: first.last
  UID: 365200025
  GID: 365200025
  Account disabled: False
  Password: True
  Kerberos keys available: True
 
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
first.last       KEYRING:persistent:0:krb_ccache_WlO1kcG
 
 
[root@master ~]# ssh -o StrictHostKeyChecking=no -l first.last master.testrelm.test
Could not chdir to home directory /home/first.last: No such file or directory
-sh-4.2$ whoami
first.last
-sh-4.2$ id
uid=365200025(first.last) gid=365200025(first.last) groups=365200025(first.last) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Comment 14 errata-xmlrpc 2017-08-01 09:39:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.