[Samba] Samba AD DC: users cannot change expired passwords
Andrew Bartlett
abartlet at samba.org
Sun Oct 29 20:52:53 UTC 2023
On Fri, 2023-10-27 at 20:31 +0200, Kees van Vloten via samba wrote:
> Op 27-10-2023 om 11:49 schreef Rowland Penny via samba:
> > On Fri, 27 Oct 2023 10:44:51 +0200Kees van Vloten via samba <
> > samba at lists.samba.org> wrote:
> > > Hi Andrew,
> > > Op 27-10-2023 om 02:22 schreef Andrew Bartlett:
> > > > I'm sorry to say that from here you really need to work
> > > > closelywith a Samba developer (eg via a commercial support
> > > > provider) or doa deep dive into debugging yourself.
> > > > Ideally if you have time, do a git bisect between the last
> > > > knownworking version and the first failing one. That may find
> > > > theproblematic commit, which will make a fix and adding a
> > > > regressiontest much faster.
> > > If the statement (below) is that it should not work, then I don't
> > > seewhy it is worth an investigation. Can you clarify that?
> > > > I would note that we should never allow access over LDAP as a
> > > > userwho has an expired password, even with the intention to
> > > > change thepassword. Some other protocols (like kpasswd) should
> > > > allow accessonly to the password change service, and password
> > > > changes over SAMRcan be done as one user (eg a service user) to
> > > > change the passwordof another.
> > > I am not sure that it does not work on MS-AD because theself-
> > > service-password application has some options for this:
> > > # Active Directory mode# true: use unicodePwd as password field#
> > > false: LDAPv3 standard behavior$ad_mode = true;# Force account
> > > unlock when password is changed$ad_options['force_unlock'] =
> > > true;# Force user change password at next
> > > login$ad_options['force_pwd_change'] = false;# Allow user with
> > > expired password to change
> > > password$ad_options['change_expired_password'] = true;
> > > Why would there be an option 'change_expired_password' when this
> > > isnot a supported feature in AD?
> > > Since I have no MS-AD so cannot check it.
> > > - Kees.
> > Not answering for Andrew, but just wondering aloud :-)
> > Could it be that it changes the password in a different way if
> > thepassword has expired. In a similar way that 'samba-tool user'
> > has'password' and 'setpassword'.
> > Rowland
>
> I have been thinking during the day about this matter, after I
> replied to Andrew this morning.
> Although I am quite convinced I have seen it working in the past,
> looking at it and thinking about it now, convinces me more and more
> that that cannot be the case. It is quite illogical that, without a
> more privileged account (like with samba-tool user setpassword), that
> a user can login and change the password.
It is always possible that there was a bug, which is why I didn't
dismiss this out of hand. Sometimes we fix such things without
realising.
> That brings me to another point: it is hard to check because you need
> an expired account and when you change the password it is no longer
> expired so the test cannot be repeated.
> Is there a way I can set the expired flag (whatever that is) on
> account?
You can force accounts as 'must change at next login' which is much the
same thing, or use 'password setting objects' (fine grained password
policies) to set really short expiries.
> That would make it much easier to do repeated tests and make this
> work.
I agree. We do much this kind of thing in our testsuite.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba
mailing list