Expired or must change password with linux/unix/mac clients against Samba4 KDC

Matthieu Patou mat+Informatique.Samba at matws.net
Fri Jan 30 20:04:14 GMT 2009 

Dear all,

I discovered recently that a it's impossible to change the password for 
an account that has its password expired or flagged as must be change at 
next login.
I first tried with kpasswd (ie. kpasswd user_tst), the server immediatly 
reply with error_code: KRB5KDC_ERR_KEY_EXP without asking about the 
password (btw it might be a security issue because it's easy to know 
which account has a password either expired or that need to be changed 
at next login), i tried also with libpam-krb5 3.12 (the latest stable) 
and in this case pam first try to talk with krbtgt/REALM server, then 
prompt for password  and then to talk kadmin/changepw but in both case 
it received KRB5KDC_ERR_KEY_EXP.

If you have a look of kpasswd/W2K3 exchange, we can see that things are 
completly differents:

* First the server ask the client for a password by replying with an 
error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
* Then after checking that the password is correct the server replies 
with an error_code KRB5KDC_ERR_KEY_EXP
* The client then issue a request to the kadmin/changepw server which is 
first replied with KRB5KDC_ERR_PREAUTH_REQUIRED error_code and once the 
client provides the password the request is validated
* The client can prompt for a new password and go ahead in the process 
for changing the password.


Is it possible to make some change to samba kdc so that we achieve more 
or less the same behavior ?
I think more precisely at bypassing the call to authsam_account_ok  if 
the server name is kadmin/changepw.

I attached network capture of kinit client versus Samba4 
(4.0.0alpha7-GIT-d8f15e4) and versus Windows 2003R2.

Any comments ?

Matthieu.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: kinit2
Type: application/octet-stream
Size: 3099 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090130/038e00fd/kinit2.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kinit_samba
Type: application/octet-stream
Size: 1812 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090130/038e00fd/kinit_samba.obj

More information about the samba-technical mailing list