Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1615984

Summary: ldapmodify userPassword reflects on krblastpwdchange on RHEL6 but not RHEL7 [rhel-7.5.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: urgent Docs Contact: Filip Hanzelka <fhanzelk>
Priority: urgent    
Version: 7.5CC: anazmy, cpelland, fhanzelk, frenaud, gparente, ipa-maint, ndehadra, nsoman, pasik, pvoborni, rcritten, tbordaz, tmihinto, toneata, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.5.4-10.el7_5.4 Doc Type: Bug Fix
Doc Text:
*ldapmodify* now modifies a user's password correctly Previously, when Identity Management Directory Manager modified a user's password with the *ldapmodify* command, the "krblastpwdchange" and "krbPasswordExpiration" attributes were not updated correctly. Consequently, a password that was still valid sometimes appeared to have expired, for example when running: # ipa user-show user1 --all With this update, *ldapmodify* correctly updates the two attributes and the password expiration date is now consistent.
 Story Points: ---
Clone Of: 1590647 Environment:
Last Closed: 2018-09-25 19:07:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1590647    
Bug Blocks:    

Description Oneata Mircea Teodor 2018-08-14 16:38:09 UTC 
This bug has been copied from bug #1590647 and has been proposed to be backported to 7.5 z-stream (EUS).
Comment 3 Nikhil Dehadrai 2018-09-04 10:41:24 UTC 
ipa-server: ipa-server-4.5.4-10.el7_5.4.3.x86_64
389-ds-base : 389-ds-base-1.3.7.5-27.el7_5.x86_64

Verified the bug on the basis of following observations:

1. Tested that when a new user is creates and upon first modifying the user password using 'ldapmodify' command the 'krbLastPwdChange' field is updated and so is the 'krbPasswordExpiration' is updated with correct expiration  value.(apprx 90 days in my case) 
(note: here kinit was not run upon user creattion)


[root@auto-hv-01-guest10 ~]# kinit admin
Password for admin: 
[root@auto-hv-01-guest10 ~]# rpm -q ipa-server
ipa-server-4.5.4-10.el7_5.4.3.x86_64
[root@auto-hv-01-guest10 ~]# ipa user-add --first=test --last=user1 --password
User login [tuser1]: 
Password: 
Enter Password again to verify: 
-------------------
Added user "tuser1"
-------------------
  User login: tuser1
  First name: test
  Last name: user1
  Full name: test user1
  Display name: test user1
  Initials: tu
  Home directory: /home/tuser1
  GECOS: test user1
  Login shell: /bin/sh
  Principal name: tuser1
  Principal alias: tuser1
  Email address: tuser1
  UID: 1708400001
  GID: 1708400001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@auto-hv-01-guest10 ~]# ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=testrelm,dc=test uid=tuser1
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 256
SASL data security layer installed.
dn: uid=tuser1,cn=users,cn=accounts,dc=testrelm,dc=test
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test
mepManagedEntry: cn=tuser1,cn=groups,cn=accounts,dc=testrelm,dc=test
krbExtraData:: AAKNXo5bcm9vdC9hZG1pbkBURVNUUkVMTS5URVNUAA==
krbLastPwdChange: 20180904102933Z
krbPasswordExpiration: 20180904102933Z
displayName: test user1
uid: tuser1
krbCanonicalName: tuser1
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: tu
gecos: test user1
sn: user1
homeDirectory: /home/tuser1
mail: tuser1
krbPrincipalName: tuser1
givenName: test
cn: test user1
ipaUniqueID: 6ae8387a-b02d-11e8-a3fe-525400935fa5
uidNumber: 1708400001
gidNumber: 1708400001

[root@auto-hv-01-guest10 ~]# ldapmodify -v -Z -h `hostname` -x -D "cn=Directory Manager" -W << EOF
> dn: uid=tuser1,cn=users,cn=accounts,dc=testrelm,dc=test
> changetype: modify
> replace: userPassword
> userPassword: apassword
> EOF
ldap_initialize( ldap://auto-hv-01-guest10.testrelm.test )
Enter LDAP Password: 
replace userPassword:
	apassword
modifying entry "uid=tuser1,cn=users,cn=accounts,dc=testrelm,dc=test"
modify complete

[root@auto-hv-01-guest10 ~]# ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=testrelm,dc=test uid=tuser1
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 256
SASL data security layer installed.
dn: uid=tuser1,cn=users,cn=accounts,dc=testrelm,dc=test
krbExtraData:: AALFXo5bcm9vdC9hZG1pbkBURVNUUkVMTS5URVNUAA==
krbLastPwdChange: 20180904103029Z
krbPasswordExpiration: 20181203103029Z
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test
mepManagedEntry: cn=tuser1,cn=groups,cn=accounts,dc=testrelm,dc=test
displayName: test user1
uid: tuser1
krbCanonicalName: tuser1
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: tu
gecos: test user1
sn: user1
homeDirectory: /home/tuser1
mail: tuser1
krbPrincipalName: tuser1
givenName: test
cn: test user1
ipaUniqueID: 6ae8387a-b02d-11e8-a3fe-525400935fa5
uidNumber: 1708400001
gidNumber: 1708400001


2. Tested that when a new user is created and upon first modifying the user password using 'ipa user-mod' command the 'krbLastPwdChange' field is updated and so is the 'krbPasswordExpiration' is updated with SAME value. (note: kinit command was not run for this newly created user).

[root@auto-hv-01-guest10 ~]# ipa user-add --first=test --last=user2 --password
User login [tuser2]: 
Password: 
Enter Password again to verify: 
-------------------
Added user "tuser2"
-------------------
  User login: tuser2
  First name: test
  Last name: user2
  Full name: test user2
  Display name: test user2
  Initials: tu
  Home directory: /home/tuser2
  GECOS: test user2
  Login shell: /bin/sh
  Principal name: tuser2
  Principal alias: tuser2
  Email address: tuser2
  UID: 1708400003
  GID: 1708400003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@auto-hv-01-guest10 ~]# ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=testrelm,dc=test uid=tuser2
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 256
SASL data security layer installed.
dn: uid=tuser2,cn=users,cn=accounts,dc=testrelm,dc=test
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test
mepManagedEntry: cn=tuser2,cn=groups,cn=accounts,dc=testrelm,dc=test
krbExtraData:: AAL0Xo5bcm9vdC9hZG1pbkBURVNUUkVMTS5URVNUAA==
krbLastPwdChange: 20180904103116Z
krbPasswordExpiration: 20180904103116Z
displayName: test user2
uid: tuser2
krbCanonicalName: tuser2
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: tu
gecos: test user2
sn: user2
homeDirectory: /home/tuser2
mail: tuser2
krbPrincipalName: tuser2
givenName: test
cn: test user2
ipaUniqueID: a7dd6c46-b02d-11e8-a235-525400935fa5
uidNumber: 1708400003
gidNumber: 1708400003


[root@auto-hv-01-guest10 ~]# ipa user-mod tuser2 --password
Password: 
Enter Password again to verify: 
----------------------
Modified user "tuser2"
----------------------
  User login: tuser2
  First name: test
  Last name: user2
  Home directory: /home/tuser2
  Login shell: /bin/sh
  Principal name: tuser2
  Principal alias: tuser2
  Email address: tuser2
  UID: 1708400003
  GID: 1708400003
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@auto-hv-01-guest10 ~]# ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=testrelm,dc=test uid=tuser2
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 256
SASL data security layer installed.
dn: uid=tuser2,cn=users,cn=accounts,dc=testrelm,dc=test
krbExtraData:: AAInX45bcm9vdC9hZG1pbkBURVNUUkVMTS5URVNUAA==
krbLastPwdChange: 20180904103207Z
krbPasswordExpiration: 20180904103207Z
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test
mepManagedEntry: cn=tuser2,cn=groups,cn=accounts,dc=testrelm,dc=test
displayName: test user2
uid: tuser2
krbCanonicalName: tuser2
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: tu
gecos: test user2
sn: user2
homeDirectory: /home/tuser2
mail: tuser2
krbPrincipalName: tuser2
givenName: test
cn: test user2
ipaUniqueID: a7dd6c46-b02d-11e8-a235-525400935fa5
uidNumber: 1708400003
gidNumber: 1708400003

3. But once the kinit command is run for the user created in step2, then the ''krbPasswordExpiration' is correctly updated (apprx 90 days in my case) 

[root@auto-hv-01-guest10 ~]# kinit tuser2
Password for tuser2: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@auto-hv-01-guest10 ~]# ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=testrelm,dc=test uid=tuser2
SASL/GSSAPI authentication started
SASL username: tuser2
SASL SSF: 256
SASL data security layer installed.
dn: uid=tuser2,cn=users,cn=accounts,dc=testrelm,dc=test
krbPasswordExpiration: 20181203103252Z
krbLastPwdChange: 20180904103252Z
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test
displayName: test user2
uid: tuser2
krbCanonicalName: tuser2
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: tu
gecos: test user2
sn: user2
homeDirectory: /home/tuser2
mail: tuser2
krbPrincipalName: tuser2
givenName: test
cn: test user2
ipaUniqueID: a7dd6c46-b02d-11e8-a235-525400935fa5
uidNumber: 1708400003
gidNumber: 1708400003


4. Upon user deletion no record is found for the user.

[root@auto-hv-01-guest10 ~]# kinit admin
Password for admin: 
[root@auto-hv-01-guest10 ~]# ipa user-del tuser2
---------------------
Deleted user "tuser2"
---------------------
[root@auto-hv-01-guest10 ~]# ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=testrelm,dc=test uid=tuser2
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 256
SASL data security layer installed.
[root@auto-hv-01-guest10 ~]# ipa user-find tuser2
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
[root@auto-hv-01-guest10 ~]# 

Thus on the basis of above observations and comment#26 ,marking the status of the bug as 'VERIFIED'.
Comment 7 errata-xmlrpc 2018-09-25 19:07:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2760