[Samba] pwdLastSet, password required to change (samba vs MSAD)
Rowland Penny
rpenny at samba.org
Fri Jan 27 09:46:27 UTC 2017
On Fri, 27 Jan 2017 10:30:22 +0100
mj via samba <samba at lists.samba.org> wrote:
> Hi,
>
> We are using keycloak with our samba-4.4.4 AD environment. (an ldaps
> client application)
>
> Keycloak is able to ask users to change their passwords, when the
> checkbox "require password change upon next logon" is set in ADUC.
>
> However, in our environment (samba-4.4.4) keycloak simply refuses the
> logons when tht checkbox is set. ("bad username or password")
> RedHat (who's behind keycloak) has tested and verified that with
> their AD environment, the user IS presented with a password change
> dialogue.
>
> So, it seems that samba behaves different than a true windows AD
> server.
>
> Running keycloak in debugmode, I can see that:
> > 2017-01-27 09:49:22,664 DEBUG
> > [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager]
> > (default task-10) Authentication failed for DN
> > [CN=username,CN=Users,DC=samba,DC=company,DC=com]:
> > javax.naming.AuthenticationException: [LDAP: error code 49 - Simple
> > Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE]
>
> So, finally for the samba-related question: does anyone know if
> "password required to change" behaviour has perhaps changed between
> functional levels? Could this be the reason of the different
> behaviour between MSAD and samba-4.4.4?
>
> > root at dc4:~/samba4# samba-tool domain level show
> > ldb_wrap open of secrets.ldb
> > Domain and forest function level for domain
> > 'DC=samba,DC=company,DC=com'
> >
> > Forest function level: (Windows) 2003
> > Domain function level: (Windows) 2003
> > Lowest function level of a DC: (Windows) 2008 R2
> > root at dc4:~/samba4#
>
> Is it a risky operation to increase that level? From the docs I
> understand that samba-4.4.4 should be able to go all the way up to
> 2012_R2. (we have no trusts, just three samba DCs and windows clients)
>
> Suggestions, ideas what to look at to make password-change dialogues
> functional, just as in a MSAD?
>
> MJ
>
Try adding this to your DC smb.conf files:
ldap server require strong auth = no
Rowland
More information about the samba
mailing list