[Samba] pwdLastSet, password required to change (samba vs MSAD)

Andrew Bartlett abartlet at samba.org
Fri Jan 27 10:00:39 UTC 2017 

On Fri, 2017-01-27 at 09:46 +0000, Rowland Penny via samba wrote:
> On Fri, 27 Jan 2017 10:30:22 +0100
> mj via samba <samba at lists.samba.org> wrote:
> 
> > Hi,
> > 
> > We are using keycloak with our samba-4.4.4 AD environment. (an
> > ldaps 
> > client application)
> > 
> > Keycloak is able to ask users to change their passwords, when the 
> > checkbox "require password change upon next logon" is set in ADUC.
> > 
> > However, in our environment (samba-4.4.4) keycloak simply refuses
> > the 
> > logons when tht checkbox is set. ("bad username or password")
> > RedHat (who's behind keycloak) has tested and verified that with
> > their AD environment, the user IS presented with a password change
> > dialogue.
> > 
> > So, it seems that samba behaves different than a true windows AD
> > server.
> > 
> > Running keycloak in debugmode, I can see that:
> > > 2017-01-27 09:49:22,664 DEBUG
> > > [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager]
> > > (default task-10) Authentication failed for DN
> > > [CN=username,CN=Users,DC=samba,DC=company,DC=com]:
> > > javax.naming.AuthenticationException: [LDAP: error code 49 -
> > > Simple
> > > Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE]
> > 
> > So, finally for the samba-related question: does anyone know if 
> > "password required to change" behaviour has perhaps changed
> > between 
> > functional levels? Could this be the reason of the different
> > behaviour between MSAD and samba-4.4.4?
> > 
> > > root at dc4:~/samba4# samba-tool domain level show
> > > ldb_wrap open of secrets.ldb
> > > Domain and forest function level for domain
> > > 'DC=samba,DC=company,DC=com'
> > > 
> > > Forest function level: (Windows) 2003
> > > Domain function level: (Windows) 2003
> > > Lowest function level of a DC: (Windows) 2008 R2
> > > root at dc4:~/samba4#
> > 
> > Is it a risky operation to increase that level? From the docs I 
> > understand that samba-4.4.4 should be able to go all the way up to 
> > 2012_R2. (we have no trusts, just three samba DCs and windows
> > clients)
> > 
> > Suggestions, ideas what to look at to make password-change
> > dialogues 
> > functional, just as in a MSAD?
> > 
> > MJ
> > 
> 
> Try adding this to your DC smb.conf files:
> 
> ldap server require strong auth = no

Thanks Rowland for the suggestion.  In this case the client is already
using ldaps, so simple binds are permitted.  The issue is related to
the layers that check the password, which do not have an exception for
expired passwords, and treat all errors as 'failure'.

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list