The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/855e9ad62866a238e303fb05752fa87b68246fe7

commit 855e9ad62866a238e303fb05752fa87b68246fe7
Author: Lutz Justen <ljusten@chromium.org>
Date: Tue Mar 20 07:00:22 2018

authpolicy: Periodically change machine password

Runs a service in authpolicyd that periodically checks the password age
and renews it if it's older than 30 days by default (can be customized
with the DeviceMachinePasswordChangeRate policy). Password renewal helps
increase security (hackers have less time to brute force a password) and
it helps Active Directory admins to clear out stale machine accounts.

Keeps the old machine password around and uses that for kinit in case
the current password fails. This is important for large Active Directory
deployments where the machine password might not have propagated through
Active Directory yet after a password change, but the old one is still
accepted (could use propagation retry alternatively, but that's slower).

CQ-DEPEND=CL:921622,CL:913409

BUG=chromium:777979, chromium:815139 
TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy

Change-Id: Ieb8745a0d9100cfa1a5d4d89911710dd9ce5bc7a
Reviewed-on: https://chromium-review.googlesource.com/924123
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Lutz Justen <ljusten@chromium.org>

[add] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/stub_kpasswd_main.cc
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/tgt_manager.h
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/authpolicy_metrics.cc
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/constants.cc
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/platform_helper.h
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/stub_kinit_main.cc
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/path_service.cc
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/samba_helper.h
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/platform_helper.cc
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/stub_common.h
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/samba_interface.cc
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/authpolicy_parser_main.cc
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/constants.h
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/path_service.h
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/authpolicy.gyp
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/stub_net_main.cc
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/proto/authpolicy_containers.proto
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/authpolicy_metrics.h
[add] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/seccomp_filters/kpasswd-seccomp.policy
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/tgt_manager.cc
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/samba_interface.h
[modify] https://crrev.com/855e9ad62866a238e303fb05752fa87b68246fe7/authpolicy/stub_common.cc

To verify this bug I set the DeviceMachinePasswordChangeRate policy to 1. When I logged into device after 24 hr since first sign-in, password was changed, but with errors:

2018-04-24T15:17:59.718709-07:00 INFO authpolicyd[10994]: authpolicyd starting
2018-04-24T15:17:59.721914-07:00 INFO authpolicyd[10994]: Read configuration file '/var/lib/authpolicyd/config.dat'
2018-04-24T15:17:59.722749-07:00 INFO authpolicyd[10994]: Running scheduled machine password age check
2018-04-24T15:18:05.528862-07:00 INFO authpolicyd[10994]: Machine password is older than 1 days. Changing.
2018-04-24T15:18:05.542558-07:00 INFO authpolicyd[10994]: Wrote machine password file '/var/lib/authpolicyd/new_machine_pass'
2018-04-24T15:18:08.322558-07:00 INFO authpolicyd[10994]: libminijail[2]: child process 12 exited with status 1
2018-04-24T15:18:08.322871-07:00 ERR authpolicyd[10994]: kpasswd failed - failed to contact KDC
2018-04-24T15:18:08.322950-07:00 ERR authpolicyd[10994]: Machine password check failed with error 23

Now looks like it creates new_machine_pass for every login:

localhost / # grep -i wrote /var/log/authpolicy.*
/var/log/authpolicy.1.log:2018-04-23T21:24:20.912084+00:00 INFO authpolicyd[3026]: Wrote machine password file '/var/lib/authpolicyd/machine_pass'
/var/log/authpolicy.1.log:2018-04-23T21:24:20.912423+00:00 INFO authpolicyd[3026]: Wrote configuration file '/var/lib/authpolicyd/config.dat'
/var/log/authpolicy.log:2018-04-24T15:18:05.542558-07:00 INFO authpolicyd[10994]: Wrote machine password file '/var/lib/authpolicyd/new_machine_pass'
/var/log/authpolicy.log:2018-04-24T15:21:12.338902-07:00 INFO authpolicyd[12012]: Wrote machine password file '/var/lib/authpolicyd/new_machine_pass'
/var/log/authpolicy.log:2018-04-24T15:26:21.455517-07:00 INFO authpolicyd[12906]: Wrote machine password file '/var/lib/authpolicyd/new_machine_pass'
/var/log/authpolicy.log:2018-04-24T15:28:20.907589-07:00 INFO authpolicyd[13703]: Wrote machine password file '/var/lib/authpolicyd/new_machine_pass'
/var/log/authpolicy.log:2018-04-24T15:31:23.247101-07:00 INFO authpolicyd[14478]: Wrote machine password file '/var/lib/authpolicyd/new_machine_pass'
/var/log/authpolicy.log:2018-04-24T15:32:38.187493-07:00 INFO authpolicyd[15273]: Wrote machine password file '/var/lib/authpolicyd/new_machine_pass'
localhost / #

Also every other login it shows "Sign-in error" notification because TGT is not renewing (see attached authpolicy.log). There is no any message for user about password changes (I think it's correct according to the policy description).

Deleted: authpolicy.1.log 38.7 KB

authpolicy.1.log 38.7 KB View Download

Deleted: authpolicy.log 16.6 KB

authpolicy.log 16.6 KB View Download

Chrome OS: 10575.12.0
Chrome: 67.0.3396.16
Device: Santa

There was an issue with the first machine password change on startup, which caused the "failed to contact KDC" error. I've uploaded a fix. I can't reproduce the sign-in error, though.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/546c97948f6092de7af72392f4aead79c1f5863f

commit 546c97948f6092de7af72392f4aead79c1f5863f
Author: Lutz Justen <ljusten@chromium.org>
Date: Wed May 09 21:40:17 2018

authpolicy: Fix machine password change

The initial machine password change failed since the KDP IP wasn't set.

BUG= chromium:815139 
TEST=On device, log in as AD user, log out, open console, type
     touch -d "40 days ago" /var/lib/authpolicyd/machine_pass
     to make the password file old, log back in, check
     /var/log/authpolicy.log, should say "Successfully changed machine
     password" and not "kpasswd failed - failed to contact KDC".

Change-Id: I247906ddd7e28113f9a2ece45043c37c9ca9848d
Reviewed-on: https://chromium-review.googlesource.com/1041785
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/546c97948f6092de7af72392f4aead79c1f5863f/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/546c97948f6092de7af72392f4aead79c1f5863f/authpolicy/samba_interface.cc
[modify] https://crrev.com/546c97948f6092de7af72392f4aead79c1f5863f/authpolicy/tgt_manager.cc

Ivan, please try again. See comment #8 for test instructions (so you don't have to wait a day for a password change).

I have tried this again. Please note that I can't login as AD user due https://bugs.chromium.org/p/chromium/issues/detail?id=839346#c6

Steps:

1. Join AD Domain, machine_pass file was created
2. Attempt to login as AD user -> crash
3. machine_pass date was changed
4. Attempt to login as AD user again -> crash

Looks like machine_pass was changed correctly:

localhost / # ls -l /var/lib/authpolicyd/
total 12
-r--------. 1 authpolicyd authpolicyd 28 May 11 14:43 config.dat
-rw-------. 1 authpolicyd authpolicyd 96 May 11 14:47 machine_pass
-rw-------. 1 authpolicyd authpolicyd 96 Apr  1 14:46 prev_machine_pass
localhost / # 

In authpolicy.log (attached) we can see the following:

2018-05-11T21:47:17.540370+00:00 INFO authpolicyd[4563]: Wrote machine password file '/var/lib/authpolicyd/new_machine_pass'
2018-05-11T21:47:18.514627+00:00 INFO authpolicyd[4563]: Successfully changed machine password

... but there is no new_machine_pass file?

Chrome OS: 10666.0.0
Chrome: 68.0.3425.0
Device: Robo360

Deleted: authpolicy.log 7.5 KB

authpolicy.log 7.5 KB View Download

This is expected. The password files are rotated (curr->old and new->curr).

Ok, thanks! I just tried this with a Guest:

1. Join AD Domain, machine_pass file created
2. Login as Guest, logout
3. Change the date
4. Login again as Guest, check authpolicy.log - machine_pass is NOT changed
5. Logout, check authpolicy.log - machine_pass is changed

It's not exactly the same steps as you have mentioned in comment #8. Could you please confirm that this is correct behavior?

authpolicy.log attached

Deleted: authpolicy.log 7.1 KB

authpolicy.log 7.1 KB View Download

This is correct. We do a check once at authpolicyd startup and then once every 2 hours. Authpolicyd is restarted at logout, but not at login, so it's expected to change at logout. 

Thanks, Lutz! Marked as "Verified".