[Samba] Samba AD DC: users cannot change expired passwords

Mon Sep 25 14:47:57 UTC 2023

Hi Rowland,

yes I also got this message that was from Kees but signed by me. I did not
send it. But I did send the very first message, though.
I just checked the logs on the DC. There is nothing relevant in there. I
cannot see any errors whatsoever.
The strange thing is:

When the password is expired, the user can, on the Windows 10 login page,
literally enter ANY password, and gets the message "your password is
expired" and when the user tries to change his password, no matter if the
correct or a random password is entered as the old password, the message
"password expired" appears again and the login is stuck in this forever
loop unless "cancel" is clicked, which, of course, cancels the login.

So I checked every log file under /var/log/samba on my DCs (I have two off
them, dc0 and dc1, which are rsync'ed).
Let me know which config I shall change to increase the loglevel and I will
do that and post the logs here.

Thanks!
best
Tobias

On Mon, Sep 25, 2023 at 4:40 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Mon, 25 Sep 2023 15:45:23 +0200
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
> > Now it becomes really interesting:
> > I just tested what happens when I set "the user must change the
> > password on the next login". Then, on my Samba domain controller, I
> > used
> >
> > kinit <the user name>
> >
> > and entered the current password. Surprisinlgy, I got the message
> > from Kerberos
> >
> > "Password for the user is expired. You must change it now."
> >
> > And I can change the password! afterwards, when I go back to "Active
> > Directory Users and Computers", the tick mark at "user must change
> > password at next login" is gone. So at least Kerberos behaves totally
> > correctly and the password is also changed correctly.
> >
> > Tobias
> >
>
> This is getting very confusing, for a start I received a post via the
> samba mailing list that is supposed to come from Kees van Vloten, but
> it is signed by Tobias ????????
>
> There are three attributes in play here:
>
> unicodePwd: This is where a users password is stored
> pwdLastSet: This is set to '0' to force the user to change their
> password
> userAccountControl: This does many things, but one is that it can set
> PASSWORD_EXPIRED if 8388608 is contained in the value set on this
> attribute.
>
> I am not sure what is going wrong here, but the only thing that I can
> see that might be relevant to the 4.18.x series is a CVE that was added
> at 4.18.1, see here for more details:
>
> https://www.samba.org/samba/security/CVE-2023-0922.html
>
> It might be relevant, but then it might not.
>
> Is there anything in the event logs on the client or in the DCs logs
> (you may need to turn up the loglevel) ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>