https://bugzilla.redhat.com/show_bug.cgi?id=827539 (Red Hat Enterprise Linux 6)
+++ This bug was initially created as a clone of Bug #810900 +++ Description of problem: ipa password policy: the history size feature is not working in current build here is the short version of my test, for full test output, please check the first bug comment 0. env setup: set pwpolicy global policy to: history=3 & minlife=0 1. create a test user with initial password 2. kinit as this user, change password to "redhat001" 3. change password to "redhat002" 4. change password to "redhat003" 5. change password to "redhat004" 6. == here comes the test: 6.1 change password to "redhat003" the one used last time ==> test result: password change failed as expected, test pass 6.2 change password to "redhat002", the one used 2 times before ==> test result: password change success, this is not expected, test failed Version-Release number of selected component (if applicable): [yi@banana (RH6.3-i386) ipa-password] rpm -qa | grep ipa-server ipa-server-selinux-2.2.0-8.el6.i686 ipa-server-2.2.0-8.el6.i686 [yi@banana (RH6.3-i386) ipa-password] rpm -qi ipa-server-2.2.0-8.el6.i686 Name : ipa-server Relocations: (not relocatable) Version : 2.2.0 Vendor: Red Hat, Inc. Release : 8.el6 Build Date: Wed 04 Apr 2012 11:23:43 AM PDT Install Date: Fri 06 Apr 2012 09:21:02 AM PDT Build Host: x86-001.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.2.0-8.el6.src.rpm Size : 3729365 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server Description : IPA is an integrated solution to provide centrally managed Identity (machine, user, virtual machines, groups, authentication credentials), Policy (configuration settings, access control information) and Audit (events, logs, analysis thereof). If you are installing an IPA server you need to install this package (in other words, most people should NOT install this package). --- Additional comment from yzhang@redhat.com on 2012-04-09 11:12:14 EDT --- [yi@banana (RH6.3-i386) ipa-password] ipa.user.add.sh add a random ipa test user account command used: echo pw2533 | ipa user-add testuser17634 --first=test21543 --last=ipa30508 --password 2>&1 >/dev/null -------------- 1 user matched -------------- dn: uid=testuser17634,cn=users,cn=accounts,dc=yzhang,dc=redhat,dc=com uid: testuser17634 givenname: test21543 sn: ipa30508 cn: test21543 ipa30508 displayname: test21543 ipa30508 initials: ti homedirectory: /home/testuser17634 gecos: test21543 ipa30508 loginshell: /bin/sh krbprincipalname: testuser17634@YZHANG.REDHAT.COM uidnumber: 1021800009 gidnumber: 1021800009 nsaccountlock: False has_password: True has_keytab: True ipauniqueid: 97e94864-8253-11e1-982c-00163e8e7c35 krbextradata: AAKe94JPcm9vdC9hZG1pbkBZWkhBTkcuUkVESEFULkNPTQA= krblastpwdchange: 20120409145214Z krbpasswordexpiration: 20120409145214Z krbpwdpolicyreference: cn=global_policy,cn=YZHANG.REDHAT.COM,cn=kerberos,dc=yzhang,dc=redhat,dc=com memberof: cn=ipausers,cn=groups,cn=accounts,dc=yzhang,dc=redhat,dc=com mepmanagedentry: cn=testuser17634,cn=groups,cn=accounts,dc=yzhang,dc=redhat,dc=com objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: ipasshuser objectclass: ipaSshGroupOfPubKeys objectclass: mepOriginEntry ---------------------------- Number of entries returned 1 ---------------------------- ipa user [testuser17634] password [pw2533] to delete: [ ipa user-del testuser17634 ] [yi@banana (RH6.3-i386) ipa-password] ========== start ipa password history test, policy sets to 3, user testuser17634 is a brand new user with "pw2533" as password ================ -bash: ==========: command not found [yi@banana (RH6.3-i386) ipa-password] [yi@banana (RH6.3-i386) ipa-password] kinit testuser17634 Password for testuser17634@YZHANG.REDHAT.COM: Password expired. You must change it now. Enter new password: Enter it again: [yi@banana (RH6.3-i386) ipa-password] echo redhat001 | kinit testuser17634 Password for testuser17634@YZHANG.REDHAT.COM: [yi@banana (RH6.3-i386) ipa-password] klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: testuser17634@YZHANG.REDHAT.COM Valid starting Expires Service principal 04/09/12 07:53:47 04/10/12 07:53:47 krbtgt/YZHANG.REDHAT.COM@YZHANG.REDHAT.COM [yi@banana (RH6.3-i386) ipa-password] === change pwpolicy minlife=0 -bash: ===: command not found [yi@banana (RH6.3-i386) ipa-password] ipa.kinitas.admin.sh Default principal: admin@YZHANG.REDHAT.COM [yi@banana (RH6.3-i386) ipa-password] ipa pwpolicy-mod minlife=0 ipa: ERROR: minlife=0: password policy not found [yi@banana (RH6.3-i386) ipa-password] ipa pwpolicy-mod --minlife=0 Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 0 History size: 3 Character classes: 0 Min length: 8 Max failures: 0 Failure reset interval: 0 Lockout duration: 0 [yi@banana (RH6.3-i386) ipa-password] echo redhat001 | kinit testuser17634 Password for testuser17634@YZHANG.REDHAT.COM: [yi@banana (RH6.3-i386) ipa-password] klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: testuser17634@YZHANG.REDHAT.COM Valid starting Expires Service principal 04/09/12 07:55:46 04/10/12 07:55:46 krbtgt/YZHANG.REDHAT.COM@YZHANG.REDHAT.COM [yi@banana (RH6.3-i386) ipa-password] ipa passwd testuser17634 Current Password: New Password: Enter New Password again to verify: ------------------------------------------------------ Changed password for "testuser17634@YZHANG.REDHAT.COM" ------------------------------------------------------ [yi@banana (RH6.3-i386) ipa-password] == just changed from "redhat001" to "redhat002" -bash: ==: command not found [yi@banana (RH6.3-i386) ipa-password] ipa passwd testuser17634 Current Password: New Password: Enter New Password again to verify: ------------------------------------------------------ Changed password for "testuser17634@YZHANG.REDHAT.COM" ------------------------------------------------------ [yi@banana (RH6.3-i386) ipa-password] == just changed from "redhat002" to "redhat003" -bash: ==: command not found [yi@banana (RH6.3-i386) ipa-password] ipa passwd testuser17634 Current Password: New Password: Enter New Password again to verify: ------------------------------------------------------ Changed password for "testuser17634@YZHANG.REDHAT.COM" ------------------------------------------------------ [yi@banana (RH6.3-i386) ipa-password] == just changed from "redhat003" to "redhat004" -bash: ==: command not found [yi@banana (RH6.3-i386) ipa-password] == now we used "redhat001" "redhat002" "redhat003" in the past, current is "redhat004" -bash: ==: command not found [yi@banana (RH6.3-i386) ipa-password] == let me try to change it back to "redhat003" -bash: ==: command not found [yi@banana (RH6.3-i386) ipa-password] ipa passwd testuser17634 Current Password: New Password: Enter New Password again to verify: ipa: ERROR: Constraint violation: Password reuse not permitted [yi@banana (RH6.3-i386) ipa-password] == reuse of "redhat003" failed -bash: ==: command not found [yi@banana (RH6.3-i386) ipa-password] ipa passwd testuser17634 Current Password: New Password: Enter New Password again to verify: ** Passwords do not match! ** New Password: Enter New Password again to verify: ipa: ERROR: 'password' is required [yi@banana (RH6.3-i386) ipa-password] ipa passwd testuser17634 Current Password: New Password: Enter New Password again to verify: ------------------------------------------------------ Changed password for "testuser17634@YZHANG.REDHAT.COM" ------------------------------------------------------ [yi@banana (RH6.3-i386) ipa-password] == reuse of "redhat002" success !!!!!!!!!!!! this is wrong == reuse of "redhat002" success ipa passwd testuser17634ipa passwd testuser17634ipa passwd testuser17634ipa passwd testuser17634ipa passwd testuser17634ipa passwd testuser17634 this is wrong -bash: ==: command not found [yi@banana (RH6.3-i386) ipa-password] echo redhat002 | kinit testuser17634 Password for testuser17634@YZHANG.REDHAT.COM: [yi@banana (RH6.3-i386) ipa-password] klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: testuser17634@YZHANG.REDHAT.COM Valid starting Expires Service principal 04/09/12 08:00:35 04/10/12 08:00:35 krbtgt/YZHANG.REDHAT.COM@YZHANG.REDHAT.COM [yi@banana (RH6.3-i386) ipa-password] rpm -qa | grep ipa-server ipa-server-selinux-2.2.0-8.el6.i686 ipa-server-2.2.0-8.el6.i686 [yi@banana (RH6.3-i386) ipa-password] rpm -qi ipa-server-2.2.0-8.el6.i686 Name : ipa-server Relocations: (not relocatable) Version : 2.2.0 Vendor: Red Hat, Inc. Release : 8.el6 Build Date: Wed 04 Apr 2012 11:23:43 AM PDT Install Date: Fri 06 Apr 2012 09:21:02 AM PDT Build Host: x86-001.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.2.0-8.el6.src.rpm Size : 3729365 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server Description : IPA is an integrated solution to provide centrally managed Identity (machine, user, virtual machines, groups, authentication credentials), Policy (configuration settings, access control information) and Audit (events, logs, analysis thereof). If you are installing an IPA server you need to install this package (in other words, most people should NOT install this package). [yi@banana (RH6.3-i386) ipa-password] --- Additional comment from pm-rhel@redhat.com on 2012-04-09 11:22:03 EDT --- Since this issue was entered in bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release. --- Additional comment from pm-rhel@redhat.com on 2012-04-09 11:51:49 EDT --- This bugzilla has Keywords: Regression or TestBlocker. Since no regressions or test blockers are allowed between releases, it is also being [proposed|marked] as a blocker for this release. Please resolve ASAP. --- Additional comment from rcritten@redhat.com on 2012-04-09 13:10:43 EDT --- Upstream ticket: https://fedorahosted.org/freeipa/ticket/2613 --- Additional comment from mkosek@redhat.com on 2012-04-10 12:34:50 EDT --- Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/35f44a1aebe0350884113c0ce57c 2aeb736c714b ipa-2-2: https://fedorahosted.org/freeipa/changeset/a570cef67f117471839bdca01cc 79a64e546582f --- Additional comment from errata-xmlrpc@redhat.com on 2012-04-10 21:01:12 EDT --- Bug report changed to ON_QA status by Errata System. A QE request has been submitted for advisory RHEA-2012:12631-01 http://errata.devel.redhat.com/errata/show/12631 --- Additional comment from errata-xmlrpc@redhat.com on 2012-04-10 21:01:15 EDT --- Bug report changed to ON_QA status by Errata System. A QE request has been submitted for advisory RHEA-2012:12631-01 http://errata.devel.redhat.com/errata/show/12631 --- Additional comment from mkosek@redhat.com on 2012-04-25 07:31:59 EDT --- Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: IPA password policy plugin for Directory Server did not sort properly a history of user passwords when it was checking the sanity of password change. Consequence: The user password history was sorted randomly and thus a random password was being removed rather than the oldest when the list overflowed. User then may have been able to bypass the current password policy requirement for password repetition. Fix: User password are now sorted properly in the IPA password plugin for Directory Server. Result: The password plugin properly enforces password policy requirement for password repetition. --- Additional comment from yzhang@redhat.com on 2012-05-19 00:41:33 EDT --- I am not sure if the bug is being fixed, I need developers echo to verify my test. my test steps : 1. env setup: set password policy : history = 3 2. create user "user001" with initial password "redhat" 3. kinit as user001, ipa prompt password change, change password to "redhat001" 4. use "ipa passwd user001" change password from "redhat001" to "redhat002" 5. change password from "redhat002" to "redhat003" 6. change password from "redhat003" to "redhat004" 7. change password from "redhat004" to "redhat005" up to this point, the history of password is below: (initial)redhat->redhat001->redhat002->redhat003->redhat004->redhat005(current) start test for history: use ipa passwd user001 to change password back to previous used password 8. change to "redhat004" failed, as expected 9. change to "redhat003" failed, as expected 10. change to "redhat002" success -- I don't know if it means test pass or failed 11. change to "redhat001" success as expected At step 10: I am not sure if reuse "redhat002" means the test success or fail. It depends how to view "history=3". If history size count including current password (redhat005 in this case), then test pass. If not, then test failed. I need developers echo to verify the bug. Thanks! My full test and its output is below: ========================= start of test ========================= [yi@fig (RH6.3-x86_64) ~] ipa pwpolicy-mod --history=3 Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 0 History size: 3 Character classes: 1 Min length: 2 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 [yi@fig (RH6.3-x86_64) ~] ipa user-add user001 First name: test Last name: user001 -------------------- Added user "user001" -------------------- User login: user001 First name: test Last name: user001 Full name: test user001 Display name: test user001 Initials: tu Home directory: /home/user001 GECOS field: test user001 Login shell: /bin/sh Kerberos principal: user001@YZHANG.REDHAT.COM UID: 1323600010 GID: 1323600010 Password: False Kerberos keys available: False [yi@fig (RH6.3-x86_64) ~] ipa passwd user001 New Password: Enter New Password again to verify: ------------------------------------------------ Changed password for "user001@YZHANG.REDHAT.COM" ------------------------------------------------ [yi@fig (RH6.3-x86_64) ~] kinit user001 Password for user001@YZHANG.REDHAT.COM: Password expired. You must change it now. Enter new password: Enter it again: [yi@fig (RH6.3-x86_64) ~] echo initial password: redhat initial password: redhat [yi@fig (RH6.3-x86_64) ~] echo redhat001 | kinit user001 Password for user001@YZHANG.REDHAT.COM: [yi@fig (RH6.3-x86_64) ~] klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: user001@YZHANG.REDHAT.COM Valid starting Expires Service principal 05/18/12 21:28:44 05/19/12 21:28:44 krbtgt/YZHANG.REDHAT.COM@YZHANG.REDHAT.COM [yi@fig (RH6.3-x86_64) ~] ipa passwd user001 Current Password: New Password: Enter New Password again to verify: ------------------------------------------------ Changed password for "user001@YZHANG.REDHAT.COM" ------------------------------------------------ [yi@fig (RH6.3-x86_64) ~] echo redhat002 | kinit user001 Password for user001@YZHANG.REDHAT.COM: [yi@fig (RH6.3-x86_64) ~] ipa passwd user001 Current Password: New Password: Enter New Password again to verify: ------------------------------------------------ Changed password for "user001@YZHANG.REDHAT.COM" ------------------------------------------------ [yi@fig (RH6.3-x86_64) ~] echo redhat003 | kinit user001 Password for user001@YZHANG.REDHAT.COM: [yi@fig (RH6.3-x86_64) ~] ipa passwd user001 Current Password: New Password: Enter New Password again to verify: ------------------------------------------------ Changed password for "user001@YZHANG.REDHAT.COM" ------------------------------------------------ [yi@fig (RH6.3-x86_64) ~] echo redhat004 | kinit user001 Password for user001@YZHANG.REDHAT.COM: [yi@fig (RH6.3-x86_64) ~] ipa passwd user001 Current Password: New Password: Enter New Password again to verify: ------------------------------------------------ Changed password for "user001@YZHANG.REDHAT.COM" ------------------------------------------------ [yi@fig (RH6.3-x86_64) ~] echo redhat005 | kinit user001 Password for user001@YZHANG.REDHAT.COM: [yi@fig (RH6.3-x86_64) ~] echo up to this point, redhat001->redhat002->redhat003->redhat004->redhat005(current), i will try previous password now: starts from redhat004 -bash: syntax error near unexpected token `(' [yi@fig (RH6.3-x86_64) ~] ipa passwd user001 Current Password: New Password: Enter New Password again to verify: ** Passwords do not match! ** New Password: Enter New Password again to verify: ipa: ERROR: Constraint violation: Password reuse not permitted [yi@fig (RH6.3-x86_64) ~] echo reuse "redhat004" failed reuse redhat004 failed [yi@fig (RH6.3-x86_64) ~] ipa passwd user001 Current Password: New Password: Enter New Password again to verify: ipa: ERROR: Constraint violation: Password reuse not permitted [yi@fig (RH6.3-x86_64) ~] echo reuse "redhat003" failed reuse redhat003 failed [yi@fig (RH6.3-x86_64) ~] ipa passwd user001 Current Password: New Password: Enter New Password again to verify: ------------------------------------------------ Changed password for "user001@YZHANG.REDHAT.COM" ------------------------------------------------ [yi@fig (RH6.3-x86_64) ~] echo reuse "redhat002" success reuse redhat002 success [yi@fig (RH6.3-x86_64) ~] ipa pwpolicy-show Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 0 History size: 3 Character classes: 1 Min length: 2 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 [yi@fig (RH6.3-x86_64) ~] ================================= end of test ================== --- Additional comment from rcritten@redhat.com on 2012-05-21 09:46:50 EDT --- Yes, the current password is included. This is to prevent people from just changing the password to the same thing. This is operating as expected. --- Additional comment from yzhang@redhat.com on 2012-05-31 18:00:32 EDT --- i have to re-open this bug. the newly found problem seems relate to group password policy. For group password policy, when history size set to "N", the actual size is "N-1". -- please note, I already count the current working password. The bug does not happen all the time for all users. It relates to group password policy, and it (seems) only affects newly created user. I haven't found out the exact condition to trigger the problem but I have script that be able to consistently re-produce it. Whenever the problem appears, there is an error msg in dirsrv log file says: ipapwd_setPasswordHistory - [file ipapwd_common.c, line 926]: failed to generate new password history! to verify the bug, execute the test case : ipapassword_grouppolicy_history_default in iparhts/acceptance/ipa-password/t.ipapassword.sh under test group: ipapassword_grouppolicy() at this point, the test environment is ready to use: 10.14.16.178 + redhat The test script is here: /export/iparhts/acceptance/ipa-password/debug please do: cd /export/iparhts/acceptance/ipa-password/debug ./test.sh --- Additional comment from dpal@redhat.com on 2012-06-01 13:49:41 EDT --- Though it is a different issue we will reopen and move to 6.4.
There is a problem where we emit a message that history setting failed if policy has no history setting, a red herring.
If I understand this script correctly, you are doing this:
What is important is when that first password is set. In this case it is set before the password policy is created. The default password policy has history=0, so no history is stored (and the red herring message confirms this).
That first password isn't considered part of the history which is why it is allowed as the last step.
attachment freeipa-rcrit-1047-history.patch
master: 3eadcdf[[BR]] ipa-3-0: 7d3ee1d
Moving closed RC1 tickets to Beta 3.
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0 Beta 3
Login to comment on this ticket.