[Samba] pwdLastSet, password required to change (samba vs MSAD)

[mj]

Hi,

We are using keycloak with our samba-4.4.4 AD environment. (an ldaps 
client application)

Keycloak is able to ask users to change their passwords, when the 
checkbox "require password change upon next logon" is set in ADUC.

However, in our environment (samba-4.4.4) keycloak simply refuses the 
logons when tht checkbox is set. ("bad username or password")
RedHat (who's behind keycloak) has tested and verified that with their 
AD environment, the user IS presented with a password change dialogue.

So, it seems that samba behaves different than a true windows AD server.

Running keycloak in debugmode, I can see that:
> 2017-01-27 09:49:22,664 DEBUG
> [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager]
> (default task-10) Authentication failed for DN
> [CN=username,CN=Users,DC=samba,DC=company,DC=com]:
> javax.naming.AuthenticationException: [LDAP: error code 49 - Simple
> Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE]

So, finally for the samba-related question: does anyone know if 
"password required to change" behaviour has perhaps changed between 
functional levels? Could this be the reason of the different behaviour 
between MSAD and samba-4.4.4?

> root at dc4:~/samba4# samba-tool domain level show
> ldb_wrap open of secrets.ldb
> Domain and forest function level for domain 'DC=samba,DC=company,DC=com'
>
> Forest function level: (Windows) 2003
> Domain function level: (Windows) 2003
> Lowest function level of a DC: (Windows) 2008 R2
> root at dc4:~/samba4#

Is it a risky operation to increase that level? From the docs I 
understand that samba-4.4.4 should be able to go all the way up to 
2012_R2. (we have no trusts, just three samba DCs and windows clients)

Suggestions, ideas what to look at to make password-change dialogues 
functional, just as in a MSAD?

MJ