[Samba] Samba AD DC: users cannot change expired passwords
Rowland Penny
rpenny at samba.org
Fri Oct 27 09:49:13 UTC 2023
On Fri, 27 Oct 2023 10:44:51 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:
> Hi Andrew,
>
> Op 27-10-2023 om 02:22 schreef Andrew Bartlett:
> > I'm sorry to say that from here you really need to work closely
> > with a Samba developer (eg via a commercial support provider) or do
> > a deep dive into debugging yourself.
> >
> > Ideally if you have time, do a git bisect between the last known
> > working version and the first failing one. That may find the
> > problematic commit, which will make a fix and adding a regression
> > test much faster.
> If the statement (below) is that it should not work, then I don't see
> why it is worth an investigation. Can you clarify that?
> >
> > I would note that we should never allow access over LDAP as a user
> > who has an expired password, even with the intention to change the
> > password. Some other protocols (like kpasswd) should allow access
> > only to the password change service, and password changes over SAMR
> > can be done as one user (eg a service user) to change the password
> > of another.
> I am not sure that it does not work on MS-AD because the
> self-service-password application has some options for this:
>
> # Active Directory mode
> # true: use unicodePwd as password field
> # false: LDAPv3 standard behavior
> $ad_mode = true;
> # Force account unlock when password is changed
> $ad_options['force_unlock'] = true;
> # Force user change password at next login
> $ad_options['force_pwd_change'] = false;
> # Allow user with expired password to change password
> $ad_options['change_expired_password'] = true;
>
> Why would there be an option 'change_expired_password' when this is
> not a supported feature in AD?
>
> Since I have no MS-AD so cannot check it.
>
> - Kees.
Not answering for Andrew, but just wondering aloud :-)
Could it be that it changes the password in a different way if the
password has expired. In a similar way that 'samba-tool user' has
'password' and 'setpassword'.
Rowland
More information about the samba
mailing list