Expired or must change password with linux/unix/mac clients against
Samba4 KDC
Matthieu Patou
mat+Informatique.Samba at matws.net
Fri Jan 30 20:04:14 GMT 2009
Dear all,
I discovered recently that a it's impossible to change the password for
an account that has its password expired or flagged as must be change at
next login.
I first tried with kpasswd (ie. kpasswd user_tst), the server immediatly
reply with error_code: KRB5KDC_ERR_KEY_EXP without asking about the
password (btw it might be a security issue because it's easy to know
which account has a password either expired or that need to be changed
at next login), i tried also with libpam-krb5 3.12 (the latest stable)
and in this case pam first try to talk with krbtgt/REALM server, then
prompt for password and then to talk kadmin/changepw but in both case
it received KRB5KDC_ERR_KEY_EXP.
If you have a look of kpasswd/W2K3 exchange, we can see that things are
completly differents:
* First the server ask the client for a password by replying with an
error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
* Then after checking that the password is correct the server replies
with an error_code KRB5KDC_ERR_KEY_EXP
* The client then issue a request to the kadmin/changepw server which is
first replied with KRB5KDC_ERR_PREAUTH_REQUIRED error_code and once the
client provides the password the request is validated
* The client can prompt for a new password and go ahead in the process
for changing the password.
Is it possible to make some change to samba kdc so that we achieve more
or less the same behavior ?
I think more precisely at bypassing the call to authsam_account_ok if
the server name is kadmin/changepw.
I attached network capture of kinit client versus Samba4
(4.0.0alpha7-GIT-d8f15e4) and versus Windows 2003R2.
Any comments ?
Matthieu.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kinit2
Type: application/octet-stream
Size: 3099 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090130/038e00fd/kinit2.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kinit_samba
Type: application/octet-stream
Size: 1812 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090130/038e00fd/kinit_samba.obj
More information about the samba-technical
mailing list