Problem:S4-Connector Rejects - Invalid syntax: Maximum password age

Knowledge Base Community
, , , , ,
1

Problem

When using the samba-tool to set the pwdMaxAge in Samba back to 0 the internal value is -9223372036854775808. That value than is synced to UCS/OpenLDAP but the S4 connector rejects the change and the Impact is, a new created user could not be moved in an other container.

/var/log/univention/connector-s4.log shows:

27.03.2025 10:25:20.322 LDAP        (PROCESS): sync AD > UCS: Resync rejected dn: 'DC=domain,DC=internal'
27.03.2025 10:25:20.328 LDAP        (PROCESS): sync AD > UCS: [  container_dc] [    modify] 'dc=domain,dc=internal'
27.03.2025 10:25:20.330 LDAP        (ERROR  ): InvalidSyntax: Invalid syntax: Maximum password age: Value out of bounds (0 - 86313600 seconds). ('dc=domain,dc=internal')
27.03.2025 10:26:15.665 LDAP        (PROCESS): sync AD > UCS: Resync rejected dn: 'DC=domain,DC=internal'
27.03.2025 10:26:15.671 LDAP        (PROCESS): sync AD > UCS: [  container_dc] [    modify] 'dc=domain,dc=internal'
27.03.2025 10:26:15.672 LDAP        (ERROR  ): InvalidSyntax: Invalid syntax: Maximum password age: Value out of bounds (0 - 86313600 seconds). ('dc=domain,dc=internal')
27.03.2025 10:27:11.034 LDAP        (PROCESS): sync AD > UCS: Resync rejected dn: 'DC=domain,DC=internal'
27.03.2025 10:27:11.039 LDAP        (PROCESS): sync AD > UCS: [  container_dc] [    modify] 'dc=domain,dc=internal'
27.03.2025 10:27:11.040 LDAP        (ERROR  ): InvalidSyntax: Invalid syntax: Maximum password age: Value out of bounds (0 - 86313600 seconds). ('dc=domain,dc=internal')

Solution

By modifying the setting from the sambadbomain, the correct value is adopted and the S4-Connector then resolves the reject.

  1. udm settings/sambadomain modify --dn "sambaDomainName=$(ucr get windows/domain),cn=samba,$(ucr get ldap/base)" --set maxPasswordAge=1

  2. udm settings/sambadomain modify --dn "sambaDomainName=$(ucr get windows/domain),cn=samba,$(ucr get ldap/base)" --set maxPasswordAge=0

Root Cause

Bug-Report 47876

univention-s4search maxPwdAge=* 1.1 maxPwdAge

# record 1
dn: DC=domain,DC=internal
maxPwdAge: -9223372036854775808

udm policies/pwhistory list 

DN: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=domain,dc=internal
  expiryInterval: None
  ldapFilter: None
  length: 3
  name: default-settings
  pwLength: 8
  pwQualityCheck: None

DN: cn=Passwort_10_Zeichen,cn=policies,dc=domain,dc=internal
  expiryInterval: 730
  ldapFilter: None
  length: 1
  name: Passwort_10_Zeichen
  pwLength: 10
  pwQualityCheck: TRUE

udm settings/sambadomain list

DN: sambaDomainName=SEP,cn=samba,dc=domain,dc=internal
  NextGroupRid: 1000
  NextRid: None
  NextUserRid: 1000
  SID: S-1-5-21-2070111880-1463812749-1768392224
  badLockoutAttempts: None
  disconnectTime: None
  domainPasswordComplex: 1
  domainPasswordStoreCleartext: 0
  domainPwdProperties: 1
  lockoutDuration: None
  logonToChangePW: None
  maxPasswordAge: None
  minPasswordAge: None
  name: SEP
  passwordHistory: 0
  passwordLength: 8
  refuseMachinePWChange: None
  resetCountMinutes: None