Hi everyone, I noticed that when users change their passwords through the #/selfservice/passwordchange path, then the password only gets updated on kerberos/samba through PAM as far as I can see, so all logins through LDAP still use the old password. but when I use #/selfservice/passwordforgotten, only then it gets updated in LDAP.
Is this a bug or am I doing something wrong here?
umc/self-service/allow-authenticated-use is set to true
we need more details to be able to find out the problem.
The self service password-forgot method sets the new password via UDM and therefore all 3 hash types are set: userPassword, SambaNTPassword and krb5Key.
The regular password change via PAM uses pam-krb5 to change the password. The Kerbereos server behind it (Heimdal or Samba4) will change all 3 password hashes also via UDM.
ah ok understood, so it could be a timing or congestion issue, or some service in between not acting fast enough?
I noticed now on our systems that both paths work again now.
What logs/configs would you need to investigate? I can provide them, thank you!
hello, how should we proceed? do you need logs from me?
univention-ldapsearch -LLL uid=$USERNAMEucr set umc/server/debug/level=99 (which logs passwords); apply the patch below, then systemctl restart univention-management-console-server/var/log/univention/management-console-server.logsend me via email to best at univention dot de
/usr/lib/python3/dist-packages/univention/management/console/pam.py
@@ -287,7 +287,7 @@ class PamAuth:
if qt in (PAM_TEXT_INFO, PAM_ERROR_MSG):
AUTH.info('PAM says: %r', query)
- # AUTH.error('# PAM(%d) %s: answer=%r, qt, repr(query).strip("':\" "), response)
+ AUTH.error('# PAM(%d) %s: answer=%r, qt, repr(query).strip("':\" "), response)
yield (response, 0)
def _parse_error_message_from(self, pam_err: tuple[Any, int], prompts: Sequence[tuple[str, int]]) -> str: