Hide Forgot
Created attachment 1200105 [details] Output Description of problem: WinSync users who have First.Last casing creates users who can have their password set Version-Release number of selected component (if applicable): ipa-server-4.4.0-10.el7.x86_64 ipa-server-trust-ad-4.4.0-10.el7.x86_64 How reproducible:Always Steps to Reproduce: 1. Establish winsync trust with windows system 2. Now add user First.Last on windows 3. Ensure the user is synced to IPA 4. Now change the password of the user in Windows and ensure Password is True in ipa user-show command for the user 5. Now change the password on IPA for the user First.Last Actual results: [root@master ~]# ipa passwd First.Last New Password: Enter New Password again to verify: ipa: ERROR: no matching entry found Expected results: The password change should work. Additional info: Related to bz824490 Attaching the automation logs for RHEL7.1/RHEL7.2 where the test passes whereas for RHEL7.3 it fails without any change in automation code.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6329
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/f3f9087ee8d1b1531730cf1e91fe404092e8c81d ipa-4-4: https://fedorahosted.org/freeipa/changeset/0fe08fdce78b8a26cae1ad238cfea20fe86b8332
I've added 'mixed case' in two places. Otherwise it is good.
Tested on RHEL7.4 using ipa-server-4.5.0-11.el7.x86_64 sssd-1.15.2-29.el7.x86_64 krb5-server-1.15.1-8.el7.x86_64 pki-ca-10.4.1-4.el7.noarch selinux-policy-3.13.1-148.el7.noarch 1. Created user First.Last on AD 2. [root@master ~]# ipa user-show First.Last User login: first.last First name: First Last name: Last Home directory: /home/first.last Login shell: /bin/sh Principal alias: first.last@TESTRELM.TEST UID: 365200025 GID: 365200025 Account disabled: False Password: True Kerberos keys available: True 3. [root@master ~]# echo **** | kinit first.last Password for first.last@TESTRELM.TEST: [root@master ~]# klist -l Principal name Cache name -------------- ---------- first.last@TESTRELM.TEST KEYRING:persistent:0:krb_ccache_WlO1kcG admin@TESTRELM.TEST KEYRING:persistent:0:krb_ccache_EHMBwmY [root@master ~]# sleep 10; kdestroy -A [root@master ~]# klist -l Principal name Cache name -------------- ---------- [root@master ~]# echo **** | kinit admin Password for admin@TESTRELM.TEST: [root@master ~]# klist -l Principal name Cache name -------------- ---------- admin@TESTRELM.TEST KEYRING:persistent:0:krb_ccache_WlO1kcG [root@master ~]# echo **** | ipa passwd First.Last ----------------------------------------------- Changed password for "first.last@TESTRELM.TEST" ----------------------------------------------- [root@master ~]# echo $? 0 [root@master ~]# kdestroy -A [root@master ~]# klist -l Principal name Cache name -------------- ---------- [root@master ~]# echo -e "***\n*****\n*****" | kinit -V first.last Using default cache: persistent:0:krb_ccache_WlO1kcG Using principal: first.last@TESTRELM.TEST Password for first.last@TESTRELM.TEST: Password expired. You must change it now. Enter new password: Enter it again: Authenticated to Kerberos v5 [root@master ~]# ipa user-show First.Last User login: first.last First name: First Last name: Last Home directory: /home/first.last Login shell: /bin/sh Principal alias: first.last@TESTRELM.TEST UID: 365200025 GID: 365200025 Account disabled: False Password: True Kerberos keys available: True [root@master ~]# klist -l Principal name Cache name -------------- ---------- first.last@TESTRELM.TEST KEYRING:persistent:0:krb_ccache_WlO1kcG [root@master ~]# ssh -o StrictHostKeyChecking=no -l first.last master.testrelm.test Could not chdir to home directory /home/first.last: No such file or directory -sh-4.2$ whoami first.last -sh-4.2$ id uid=365200025(first.last) gid=365200025(first.last) groups=365200025(first.last) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304