[cifs-protocol] [EXTERNAL] Re: Remote pwd change when "must change at next logon" is set? - TrackingID#2104090040000113
obaidf at microsoft.com
Wed Apr 14 15:59:03 UTC 2021
I am working on it.
So far what I see is this:
1. If I have a stand alone server, I can change the password but before changing the password, I need to setup an SMB session to this stand alone server as the administrator (I did not try a standard user), then I can change the password remotely.
2. If I do it for a DC from a non-domain joined machine, I can change the password without first setting up an SMB session. SAMR still gets an error of ACCESS_DENIED but it soldiers on and uses ChangePasswordUser2 function and that works.
So there is a discrepancy in the behavior when the remote machine is a DC compared to a stand alone server.
I am working the "why" part of this difference in behavior and will be in touch as soon as I have an answer.
Escalation Engineer | Microsoft
From: Volker Lendecke <Volker.Lendecke at SerNet.DE>
Sent: Wednesday, April 14, 2021 7:12 AM
To: Obaid Farooqi <obaidf at microsoft.com>; cifs-protocol at lists.samba.org
Cc: Interoperability Documentation Help <dochelp at microsoft.com>
Subject: [EXTERNAL] Re: [cifs-protocol] Remote pwd change when "must change at next logon" is set? - TrackingID#2104090040000113
is there anything still missing? Or is this just not a dochelp case from your point of view?
With best regards,
SerNet GmbH - Bahnhofsallee 1b - 37081 Goettingen
phone: +49.551.3700000, mailto:contact at sernet.com AG Goettingen: HR-B 2816 - https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.sernet.com%2F&data=04%7C01%7Cobaidf%40microsoft.com%7C48ca85acc4fb45a3e00a08d8ff3e90fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637539991485971966%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=JCeYGX1BgqFmjWjpG7o0fMQnMQ0zs4%2Fq3UoVCGNdUhE%3D&reserved=0
On Fri, Apr 09, 2021 at 07:45:06AM +0200, Volker Lendecke via cifs-protocol wrote:
> Hi Obaid,
> a colleague of mine has a Windows 2019 terminal server. For licensing
> reasons, this Windows 2019 machine is not a domain member, and that is
> fine for us. The fact that this is a terminal server from my point of
> view should be irrelevant, it could be just a standalone non-domain
> file server.
> He created local accounts for all team members that need it with
> initial passwords that the team members must change at their first
> The question is -- how can we remotely change the initial password? We
> (Samba) modeled our remote password change on the network after what
> he Windows password change dialogue does, which does not work in this
> The Windows password change dialogue can be reached by pressing
> ctrl-alt-del on a Windows machine (not the server in question). There
> you get an option to change a password. If you then enter
> 'server-ip-address\username' into the username field of the password
> change dialogue, enter old and new passwords, a Windows client
> normally changes a remote samr password. The trace I sent is a sniff
> of this dialogue coming from a Windows 2012 client machine, but
> Windows 2019 as a client behaves exactly the same. The smbpasswd
> utility we ship with Samba also does the same, and it fails exactly
> the same way.
> I've contacted dochelp because I think it's a protocol question:
> Changing a remote sam password for a user with MUST_CHANGE on a
> Windows 2019 machine should be a scenario covered by the Microsoft
> Protocol suite I guess, but I could not find hints how to do this in
> the docs.
> On Fri, Apr 09, 2021 at 12:49:10AM +0000, Obaid Farooqi wrote:
> > Hi Volker:
> > It is not clear from your description as to what exactly is happening.
> > Can you please provide detailed steps so that I can understand this issue?
> > Regards,
> > Obaid Farooqi
> > Escalation Engineer | Microsoft
> > -----Original Message-----
> > From: Volker Lendecke <Volker.Lendecke at SerNet.DE>
> > Sent: Thursday, April 8, 2021 4:13 AM
> > To: Interoperability Documentation Help <dochelp at microsoft.com>
> > Cc: cifs-protocol at lists.samba.org
> > Subject: [EXTERNAL] Remote pwd change when "must change at next logon" is set?
> > Hi, dochelp!
> > I've got a Windows 2019 Terminal Server with local users. There's a
> > newly created user that has "must change password at next logon"
> > (see frame 53 in the attached pcap). How can I change the password
> > initially? The attached pcap is a listing of a Windows 2012 DC where
> > I pressed ctrl-alt-del, "change pwd" and then I typed
> > 172.21.202.15\vlendec
> > into the user field. The Windows 2012 machine I'm coming from now tries to connect anonymously to SAMR, which fails with NT_STATUS_ACCESS_DENIED. Just checked with a Windows 2019 client: Same thing.
> > Question -- how can I remotely change a password for a local Windows
> > 2019 user that has "must change at next logon"?
> > Thanks,
> > Volker
> cifs-protocol mailing list
> cifs-protocol at lists.samba.org
More information about the cifs-protocol