[Samba] pwdLastSet, password required to change (samba vs MSAD)
mj
lists at merit.unu.edu
Fri Jan 27 09:30:22 UTC 2017
Hi,
We are using keycloak with our samba-4.4.4 AD environment. (an ldaps
client application)
Keycloak is able to ask users to change their passwords, when the
checkbox "require password change upon next logon" is set in ADUC.
However, in our environment (samba-4.4.4) keycloak simply refuses the
logons when tht checkbox is set. ("bad username or password")
RedHat (who's behind keycloak) has tested and verified that with their
AD environment, the user IS presented with a password change dialogue.
So, it seems that samba behaves different than a true windows AD server.
Running keycloak in debugmode, I can see that:
> 2017-01-27 09:49:22,664 DEBUG
> [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager]
> (default task-10) Authentication failed for DN
> [CN=username,CN=Users,DC=samba,DC=company,DC=com]:
> javax.naming.AuthenticationException: [LDAP: error code 49 - Simple
> Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE]
So, finally for the samba-related question: does anyone know if
"password required to change" behaviour has perhaps changed between
functional levels? Could this be the reason of the different behaviour
between MSAD and samba-4.4.4?
> root at dc4:~/samba4# samba-tool domain level show
> ldb_wrap open of secrets.ldb
> Domain and forest function level for domain 'DC=samba,DC=company,DC=com'
>
> Forest function level: (Windows) 2003
> Domain function level: (Windows) 2003
> Lowest function level of a DC: (Windows) 2008 R2
> root at dc4:~/samba4#
Is it a risky operation to increase that level? From the docs I
understand that samba-4.4.4 should be able to go all the way up to
2012_R2. (we have no trusts, just three samba DCs and windows clients)
Suggestions, ideas what to look at to make password-change dialogues
functional, just as in a MSAD?
MJ
More information about the samba
mailing list