[Samba] Samba AD DC: users cannot change expired passwords

Sun Oct 29 22:44:52 UTC 2023

Op 29-10-2023 om 21:52 schreef Andrew Bartlett:
> On Fri, 2023-10-27 at 20:31 +0200, Kees van Vloten via samba wrote:
>> Op 27-10-2023 om 11:49 schreef Rowland Penny via samba:
>>> On Fri, 27 Oct 2023 10:44:51 +0200
>>> Kees van Vloten via samba <
>>> samba at lists.samba.org
>>> <mailto:samba at lists.samba.org>
>>> > wrote:
>>>> Hi Andrew,
>>>> Op 27-10-2023 om 02:22 schreef Andrew Bartlett:
>>>>> I'm sorry to say that from here you really need to work closely
>>>>> with a Samba developer (eg via a commercial support provider) or do
>>>>> a deep dive into debugging yourself.
>>>>> Ideally if you have time, do a git bisect between the last known
>>>>> working version and the first failing one.  That may find the
>>>>> problematic commit, which will make a fix and adding a regression
>>>>> test much faster.
>>>> If the statement (below) is that it should not work, then I don't see
>>>> why it is worth an investigation. Can you clarify that?
>>>>> I would note that we should never allow access over LDAP as a user
>>>>> who has an expired password, even with the intention to change the
>>>>> password.  Some other protocols (like kpasswd) should allow access
>>>>> only to the password change service, and password changes over SAMR
>>>>> can be done as one user (eg a service user) to change the password
>>>>> of another.
>>>> I am not sure that it does not work on MS-AD  because the
>>>> self-service-password application has some options for this:
>>>> # Active Directory mode
>>>> # true: use unicodePwd as password field
>>>> # false: LDAPv3 standard behavior
>>>> $ad_mode = true;
>>>> # Force account unlock when password is changed
>>>> $ad_options['force_unlock'] = true;
>>>> # Force user change password at next login
>>>> $ad_options['force_pwd_change'] = false;
>>>> # Allow user with expired password to change password
>>>> $ad_options['change_expired_password'] = true;
>>>> Why would there be an option 'change_expired_password' when this is
>>>> not a supported feature in AD?
>>>> Since I have no MS-AD so cannot check it.
>>>> - Kees.
>>> Not answering for Andrew, but just wondering aloud :-)
>>> Could it be that it changes the password in a different way if the
>>> password has expired. In a similar way that 'samba-tool user' has
>>> 'password' and 'setpassword'.
>>> Rowland
>> I have been thinking during the day about this matter, after I replied
>> to Andrew this morning.
>> Although I am quite convinced I have seen it working in the past,
>> looking at it and thinking about it now, convinces me more and more that
>> that cannot be the case. It is quite illogical that, without a more
>> privileged account (like with samba-tool user setpassword), that a user
>> can login and change the password.
> It is always possible that there was a bug, which is why I didn't dismiss this out of hand.  Sometimes we fix such things without realising.
>> That brings me to another point: it is hard to check because you need an
>> expired account and when you change the password it is no longer expired
>> so the test cannot be repeated.
>> Is there a way I can set the expired flag (whatever that is) on account?
> You can force accounts as 'must change at next login' which is much the same thing, or use 'password setting objects' (fine grained password policies) to set really short expiries.
The 'must change at next login' is easy to set and does not have impact 
on the rest of the environment. Thanks !
>
>> That would make it much easier to do repeated tests and make this work.
> I agree.  We do much this kind of thing in our testsuite.
> Andrew Bartlett
> -- 
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead https://catalyst.net.nz/services/samba
> Catalyst.Net Ltd
>
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group 
> company
>
> Samba Development and Support: https://catalyst.net.nz/services/samba
>
> Catalyst IT - Expert Open Source Solutions
>
>