[Samba] pwdLastSet, password required to change (samba vs MSAD)

Andrew Bartlett abartlet at samba.org
Fri Jan 27 09:47:36 UTC 2017

On Fri, 2017-01-27 at 10:30 +0100, mj via samba wrote:
> Hi,
> We are using keycloak with our samba-4.4.4 AD environment. (an ldaps 
> client application)

And a very interesting one at that.  I'm glad to see someone has taken
on some of the ADFS capability I hear folks ask for regularly.

> Keycloak is able to ask users to change their passwords, when the 
> checkbox "require password change upon next logon" is set in ADUC.
> However, in our environment (samba-4.4.4) keycloak simply refuses
> the 
> logons when tht checkbox is set. ("bad username or password")
> RedHat (who's behind keycloak) has tested and verified that with
> their 
> AD environment, the user IS presented with a password change
> dialogue.
> So, it seems that samba behaves different than a true windows AD
> server.

That isn't a total surprise, sadly.  We are very close, but things like
this do still come up from time to time.

> Running keycloak in debugmode, I can see that:
> > 2017-01-27 09:49:22,664 DEBUG
> > [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager]
> > (default task-10) Authentication failed for DN
> > [CN=username,CN=Users,DC=samba,DC=company,DC=com]:
> > javax.naming.AuthenticationException: [LDAP: error code 49 - Simple
> So, finally for the samba-related question: does anyone know if 
> "password required to change" behaviour has perhaps changed between 
> functional levels? Could this be the reason of the different
> behaviour 
> between MSAD and samba-4.4.4?

No.  Just a bug, present in all levels.  We just don't allow a log in
at all for a user with an expired password. 

> > root at dc4:~/samba4# samba-tool domain level show
> > ldb_wrap open of secrets.ldb
> > Domain and forest function level for domain
> > 'DC=samba,DC=company,DC=com'
> > 
> > Forest function level: (Windows) 2003
> > Domain function level: (Windows) 2003
> > Lowest function level of a DC: (Windows) 2008 R2
> > root at dc4:~/samba4#
> Is it a risky operation to increase that level? From the docs I 
> understand that samba-4.4.4 should be able to go all the way up to 
> 2012_R2. (we have no trusts, just three samba DCs and windows
> clients)

No, 2008_R2 is the maximum that has any support. 

> Suggestions, ideas what to look at to make password-change dialogues 
> functional, just as in a MSAD?

At this point it needs code changes and regression tests to match.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list