[cifs-protocol] [EXTERNAL] [MS-SAMR] 3.1.1.7.1 General Password Policy -- interaction with LDAP_SERVER_POLICY_HINTS_OID - TrackingID#2509240040013358

Wed Oct 8 23:38:17 UTC 2025

hi again.

I noticed from this message to the Samba users list

https://lists.samba.org/archive/samba/2024-August/249724.html

that Keycloak also uses the LDAP_SERVER_POLICY_HINTS_OID.

The way they document it is "if [some option is] on, then updating 
password of MSAD user will use LDAP_SERVER_POLICY_HINTS_OID extension, 
which means that advanced MSAD password policies like 'password history' 
or 'minimal password age' will be applied. This extension works just for 
MSAD 2008 R2 or newer."

(https://github.com/keycloak/keycloak/blob/main/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties#L97).

I guess Keycloak is trying to do the same thing as Entra, enforcing 
password change semantics without giving AD the old password.

Douglas

On 1/10/25 10:33, Douglas Bagnall via cifs-protocol wrote:
> hi Obaid,
> 
> Thanks for looking.
> 
> If it helps, Azure Self-Service Password Reset does set the control 
> (actually LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID which does the same 
> thing) when doing a password set.
> 
> I think maybe it looks like a password change on the Entra side (that 
> is, the user needs their old password), but Entra wants to forward the 
> change as an unconditional set but maintain history.
> 
> This page
> 
> https://learn.microsoft.com/en-us/entra/identity/authentication/ 
> troubleshoot-sspr-writeback#if-the-source-of-the-event-is-adsync
> 
> talks a bit about it around "33008 ADPasswordPolicyError". Elsewhere it 
> mentions LDAP_SERVER_POLICY_HINTS_OID but gives it the value 
> 1.2.840.113556.1.4.2066 which is the one now called _DEPRECATED_, 
> presumably because the oid is also used for the ms-DS-Required-Domain- 
> Behavior-Version attribute.
> 
> Douglas
> 
> 
> 
> On 1/10/25 10:02, Obaid Farooqi wrote:
>> Hi Douglas:
>> To me, the quote from MS-ADTS looks more problematic than the MS-SMAR's.
>> There will not be a password history if we are setting a password.
>>
>> I am looking into it and I think this is a bug in MS-ADTS.
>>
>> Regards,
>> Obaid Farooqi
>> Sr. Escalation Engineer | Microsoft
>>
>> -----Original Message-----
>> From: Michael Bowen <Mike.Bowen at microsoft.com>
>> Sent: Wednesday, September 24, 2025 6:17 PM
>> To: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>; cifs- 
>> protocol at lists.samba.org
>> Cc: Microsoft Support <supportmail at microsoft.com>
>> Subject: RE: [EXTERNAL] [MS-SAMR] 3.1.1.7.1 General Password Policy -- 
>> interaction with LDAP_SERVER_POLICY_HINTS_OID - 
>> TrackingID#2509240040013358
>>
>> [DocHelp to bcc]
>>
>> Hi Douglas,
>>
>> Thanks for your question. I've created case number 2509240040013358 to 
>> track this issue. Please leave the number in the subject line and use 
>> reply all your correspondence. One of our engineers will contact you 
>> soon.
>>
>> Best regards,
>> Michael Bowen
>>
>> Sr. Escalation Engineer - Microsoft® Corporation
>>
>>
>> -----Original Message-----
>> From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
>> Sent: Wednesday, September 24, 2025 3:39 PM
>> To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs- 
>> protocol at lists.samba.org
>> Subject: [EXTERNAL] [MS-SAMR] 3.1.1.7.1 General Password Policy -- 
>> interaction with LDAP_SERVER_POLICY_HINTS_OID
>>
>> hi Dochelp,
>>
>> MS-ADTS 3.1.1.3.4.1.27 says that when LDAP_SERVER_POLICY_HINTS_OID is 
>> used with a control value of 1, the password history length constraint 
>> is enforced on password-set operations.
>>
>> I think that means at the bottom of MS-SAMR 3.1.1.7.1 General Password 
>> Policy, where it says:
>>
>>> 5. The requesting protocol message is a password change (as compared 
>>> to a password set).
>>
>> it should say something like
>>
>> 5. The requesting protocol message is a password change (as compared 
>> to a password set), or the message is a password set with the 
>> LDAP_SERVER_POLICY_HINTS_OID control set with the value 0x1.
>>
>> Is that right?
>>
>> Douglas
>>
> 
> 
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at lists.samba.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol