Chromad: Password change flow broken |
|||||
Issue descriptionThe password change flow is broken. If you sign in with an account where the password is expired, Chrome lets you in and doesn't show the password change screen. It also shows a popup 'failed to get the auth token'. I checked authpolicy, and it returns ERROR_PASSWORD_EXPIRED, so it seems like a Chrome issue (also, the autotest still passes).
,
Jun 5 2018
Steps to repro: 1. Enroll Chromebook into Active Directory mode 2. Authenticate with AD user, logout 3. Set "User has to change password on the next login" for that user 4. Login again (from the user pod) What's expected: Notification "Password is expired, logout and login back" What happens: No notification
,
Jun 7 2018
I confirm this issue. It shows notification (see attached screenshot), but it's not about password change. Also after logout you can login with the same old password. Chrome Version: 69.0.3451.0 Chrome OS: 10757.0.0 Device: Santa
,
Jun 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/ddc574af0bd921f643e3fd66ee36ec57c691b03e commit ddc574af0bd921f643e3fd66ee36ec57c691b03e Author: Lutz Justen <ljusten@chromium.org> Date: Fri Jun 08 16:00:17 2018 authpolicy: Fix password change flow In case a user logs in from the PODs screen (so-called "offline logon", but actually being online), and their password is expired, AuthenticateUser() returns ERROR_PASSWORD_EXPIRED, but it's not picked up by Chrome since Chrome doesn't wait for the result on the PODs screen. Chrome signs the user in and calls GetUserStatus(). If the TGT is not valid, the GetUserStatus() call just returns success, but does not set the password status, so Chrome never gets notified of this. This CL checks the last auth error and sets the password status to - PASSWORD_EXPIRED if last auth error was ERROR_PASSWORD_EXPIRED and - PASSWORD_CHANGED if last auth error was ERROR_BAD_PASSWORD. The rationale for the latter is that the password must have been an old, valid password since the Cryptohome mount succeeded. Also adds a debug flag for logging the GetUserStatus() result. BUG= chromium:849318 TEST=1) Set account password to expired in AD, log on from PODs screen. You should get a notification that the password expired and relog should take you to online logon, where you can change the password. 2) Change password in AD, log on from PODs screen. You should get a notification that the password changed on the server and relog should take you to online logon, where you have to enter the old and new password. Change-Id: Iabc6fe0822e59f741c1cd365231f0f8215df3b02 Reviewed-on: https://chromium-review.googlesource.com/1090711 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [modify] https://crrev.com/ddc574af0bd921f643e3fd66ee36ec57c691b03e/authpolicy/authpolicy_unittest.cc [modify] https://crrev.com/ddc574af0bd921f643e3fd66ee36ec57c691b03e/authpolicy/log_colors.h [modify] https://crrev.com/ddc574af0bd921f643e3fd66ee36ec57c691b03e/authpolicy/samba_interface.cc [modify] https://crrev.com/ddc574af0bd921f643e3fd66ee36ec57c691b03e/authpolicy/authpolicy_flags.cc [modify] https://crrev.com/ddc574af0bd921f643e3fd66ee36ec57c691b03e/authpolicy/authpolicy_flags_unittest.cc [modify] https://crrev.com/ddc574af0bd921f643e3fd66ee36ec57c691b03e/authpolicy/proto/authpolicy_containers.proto [modify] https://crrev.com/ddc574af0bd921f643e3fd66ee36ec57c691b03e/authpolicy/log_colors.cc
,
Jun 8 2018
,
Jun 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/system_api/+/fdba47dba5c6f9560d88e22b1aed5c43715cbbc0 commit fdba47dba5c6f9560d88e22b1aed5c43715cbbc0 Author: Lutz Justen <ljusten@chromium.org> Date: Thu Jun 21 15:14:28 2018 authpolicy: Remove unused field Removes last_auth_error from ActiveDirectoryUserStatus as it's not neeeded anymore. It was supposed to detect whether the Active Directory server can be accessed, but that turns out to be flaky since the network might be switching during AuthenticateUser(). Calling PingServer() in GetUserStatus() is more robust. Also, Chrome never used it, so it's safe to remove. CQ-DEPEND=CL:1090711 BUG= chromium:849318 TEST=trybots Change-Id: I16d49d795becf813dab88357b3f611c3459cfbe4 Reviewed-on: https://chromium-review.googlesource.com/1086795 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [modify] https://crrev.com/fdba47dba5c6f9560d88e22b1aed5c43715cbbc0/dbus/authpolicy/active_directory_info.proto
,
Aug 17
Verified fixed, when "User must change password at next logon" is set, the notification that the password expired is shown (Screenshot 1). At next logon, user is prompted to change the password (Screenshot 2) and provide the old password (Screenshot 3), after that login succeeded. Chrome OS: 10895.26.0 Chrome: 69.0.3497.36 Device: Robo Chrome OS: 10975.0.0 Chrome: 70.0.3524.2 Device: Santa |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by rsorokin@chromium.org
, Jun 4 2018