[cifs-protocol] [EXTERNAL] Re: Remote pwd change when "must change at next logon" is set? - TrackingID#2104090040000113

Obaid Farooqi obaidf at microsoft.com
Wed Apr 14 15:59:03 UTC 2021

Hi Volker:
I am working on it. 
So far what  I see is this:
1. If I have a stand alone server, I can change the password but before changing the password, I need to setup an SMB session to this stand alone server as the administrator (I did not try a standard user), then I can change the password remotely.

2. If I do it for a DC from a non-domain joined machine, I can change the password without first setting up an SMB session. SAMR still gets an error of ACCESS_DENIED but it soldiers on and uses ChangePasswordUser2 function and that works.

So there is a discrepancy in the behavior when the remote machine is a DC compared to a stand alone server.
I am working the "why" part of this difference in behavior and will be in touch as soon as I have an answer.

Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Volker Lendecke <Volker.Lendecke at SerNet.DE> 
Sent: Wednesday, April 14, 2021 7:12 AM
To: Obaid Farooqi <obaidf at microsoft.com>; cifs-protocol at lists.samba.org
Cc: Interoperability Documentation Help <dochelp at microsoft.com>
Subject: [EXTERNAL] Re: [cifs-protocol] Remote pwd change when "must change at next logon" is set? - TrackingID#2104090040000113

Hi Obaid,

is there anything still missing? Or is this just not a dochelp case from your point of view?

With best regards,

Volker Lendecke

SerNet GmbH - Bahnhofsallee 1b - 37081 Goettingen
phone: +49.551.3700000, mailto:contact at sernet.com AG Goettingen: HR-B 2816 - https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.sernet.com%2F&data=04%7C01%7Cobaidf%40microsoft.com%7C48ca85acc4fb45a3e00a08d8ff3e90fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637539991485971966%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=JCeYGX1BgqFmjWjpG7o0fMQnMQ0zs4%2Fq3UoVCGNdUhE%3D&reserved=0
Manag. Directors Johannes Loxen and Reinhild Jung data privacy policy https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.sernet.de%2Fprivacy&data=04%7C01%7Cobaidf%40microsoft.com%7C48ca85acc4fb45a3e00a08d8ff3e90fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637539991485971966%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Cxtvy%2F%2FWD1nojlhWUxMwbkE2rHMnhVUQgtrtVqRID88%3D&reserved=0

On Fri, Apr 09, 2021 at 07:45:06AM +0200, Volker Lendecke via cifs-protocol wrote:
> Hi Obaid,
> a colleague of mine has a Windows 2019 terminal server. For licensing 
> reasons, this Windows 2019 machine is not a domain member, and that is 
> fine for us. The fact that this is a terminal server from my point of 
> view should be irrelevant, it could be just a standalone non-domain 
> file server.
> He created local accounts for all team members that need it with 
> initial passwords that the team members must change at their first 
> logon.
> The question is -- how can we remotely change the initial password? We
> (Samba) modeled our remote password change on the network after what 
> he Windows password change dialogue does, which does not work in this 
> case.
> The Windows password change dialogue can be reached by pressing 
> ctrl-alt-del on a Windows machine (not the server in question). There 
> you get an option to change a password. If you then enter 
> 'server-ip-address\username' into the username field of the password 
> change dialogue, enter old and new passwords, a Windows client 
> normally changes a remote samr password. The trace I sent is a sniff 
> of this dialogue coming from a Windows 2012 client machine, but 
> Windows 2019 as a client behaves exactly the same. The smbpasswd 
> utility we ship with Samba also does the same, and it fails exactly 
> the same way.
> I've contacted dochelp because I think it's a protocol question:
> Changing a remote sam password for a user with MUST_CHANGE on a 
> Windows 2019 machine should be a scenario covered by the Microsoft 
> Protocol suite I guess, but I could not find hints how to do this in 
> the docs.
> Thanks,
> Volker
> On Fri, Apr 09, 2021 at 12:49:10AM +0000, Obaid Farooqi wrote:
> > Hi Volker:
> > It is not clear from your description as to what exactly is happening.
> > Can you please provide detailed steps so that I can understand this issue?
> > 
> > Regards,
> > Obaid Farooqi
> > Escalation Engineer | Microsoft
> > 
> > -----Original Message-----
> > From: Volker Lendecke <Volker.Lendecke at SerNet.DE>
> > Sent: Thursday, April 8, 2021 4:13 AM
> > To: Interoperability Documentation Help <dochelp at microsoft.com>
> > Cc: cifs-protocol at lists.samba.org
> > Subject: [EXTERNAL] Remote pwd change when "must change at next logon" is set?
> > 
> > Hi, dochelp!
> > 
> > I've got a Windows 2019 Terminal Server with local users. There's a 
> > newly created user that has "must change password at next logon" 
> > (see frame 53 in the attached pcap). How can I change the password 
> > initially? The attached pcap is a listing of a Windows 2012 DC where 
> > I pressed ctrl-alt-del, "change pwd" and then I typed
> > 
> >\vlendec
> > 
> > into the user field. The Windows 2012 machine I'm coming from now tries to connect anonymously to SAMR, which fails with NT_STATUS_ACCESS_DENIED. Just checked with a Windows 2019 client: Same thing.
> > 
> > Question -- how can I remotely change a password for a local Windows
> > 2019 user that has "must change at next logon"?
> > 
> > Thanks,
> > 
> > Volker
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at lists.samba.org
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=04%7C01%7Cob
> aidf%40microsoft.com%7C48ca85acc4fb45a3e00a08d8ff3e90fb%7C72f988bf86f1
> 41af91ab2d7cd011db47%7C1%7C0%7C637539991485971966%7CUnknown%7CTWFpbGZs
> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D
> %7C1000&sdata=%2FWM3ekZ2hmQyP2lS8FN14DltWuvm2m0hy%2FEXgim4Y18%3D&a
> mp;reserved=0

More information about the cifs-protocol mailing list