[Samba] Samba AD DC: users cannot change expired passwords

[Kees van Vloten]

Op 25-09-2023 om 16:39 schreef Rowland Penny via samba:
> On Mon, 25 Sep 2023 15:45:23 +0200
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
>> Now it becomes really interesting:
>> I just tested what happens when I set "the user must change the
>> password on the next login". Then, on my Samba domain controller, I
>> used
>>
>> kinit <the user name>
>>
>> and entered the current password. Surprisinlgy, I got the message
>> from Kerberos
>>
>> "Password for the user is expired. You must change it now."
>>
>> And I can change the password! afterwards, when I go back to "Active
>> Directory Users and Computers", the tick mark at "user must change
>> password at next login" is gone. So at least Kerberos behaves totally
>> correctly and the password is also changed correctly.
>>
>> Tobias
>>
> This is getting very confusing, for a start I received a post via the
> samba mailing list that is supposed to come from Kees van Vloten, but
> it is signed by Tobias ????????

I can clarify that: I had a message from Tobias in my own mailbox which 
I forwarded to the list because I though Tobias forgot to do a reply-all 
or reply-list.

- Kees

> There are three attributes in play here:
>
> unicodePwd: This is where a users password is stored
> pwdLastSet: This is set to '0' to force the user to change their
> password
> userAccountControl: This does many things, but one is that it can set
> PASSWORD_EXPIRED if 8388608 is contained in the value set on this
> attribute.
>
> I am not sure what is going wrong here, but the only thing that I can
> see that might be relevant to the 4.18.x series is a CVE that was added
> at 4.18.1, see here for more details:
>
> https://www.samba.org/samba/security/CVE-2023-0922.html
>
> It might be relevant, but then it might not.
>
> Is there anything in the event logs on the client or in the DCs logs
> (you may need to turn up the loglevel) ?
>
> Rowland
>