[Samba] pwdLastSet, password required to change (samba vs MSAD)
abartlet at samba.org
Fri Jan 27 09:47:36 UTC 2017
On Fri, 2017-01-27 at 10:30 +0100, mj via samba wrote:
> We are using keycloak with our samba-4.4.4 AD environment. (an ldaps
> client application)
And a very interesting one at that. I'm glad to see someone has taken
on some of the ADFS capability I hear folks ask for regularly.
> Keycloak is able to ask users to change their passwords, when the
> checkbox "require password change upon next logon" is set in ADUC.
> However, in our environment (samba-4.4.4) keycloak simply refuses
> logons when tht checkbox is set. ("bad username or password")
> RedHat (who's behind keycloak) has tested and verified that with
> AD environment, the user IS presented with a password change
> So, it seems that samba behaves different than a true windows AD
That isn't a total surprise, sadly. We are very close, but things like
this do still come up from time to time.
> Running keycloak in debugmode, I can see that:
> > 2017-01-27 09:49:22,664 DEBUG
> > [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager]
> > (default task-10) Authentication failed for DN
> > [CN=username,CN=Users,DC=samba,DC=company,DC=com]:
> > javax.naming.AuthenticationException: [LDAP: error code 49 - Simple
> > Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE]
> So, finally for the samba-related question: does anyone know if
> "password required to change" behaviour has perhaps changed between
> functional levels? Could this be the reason of the different
> between MSAD and samba-4.4.4?
No. Just a bug, present in all levels. We just don't allow a log in
at all for a user with an expired password.
> > root at dc4:~/samba4# samba-tool domain level show
> > ldb_wrap open of secrets.ldb
> > Domain and forest function level for domain
> > 'DC=samba,DC=company,DC=com'
> > Forest function level: (Windows) 2003
> > Domain function level: (Windows) 2003
> > Lowest function level of a DC: (Windows) 2008 R2
> > root at dc4:~/samba4#
> Is it a risky operation to increase that level? From the docs I
> understand that samba-4.4.4 should be able to go all the way up to
> 2012_R2. (we have no trusts, just three samba DCs and windows
No, 2008_R2 is the maximum that has any support.
> Suggestions, ideas what to look at to make password-change dialogues
> functional, just as in a MSAD?
At this point it needs code changes and regression tests to match.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba