[Samba] pwdLastSet, password required to change (samba vs MSAD)
abartlet at samba.org
Fri Jan 27 10:27:26 UTC 2017
On Fri, 2017-01-27 at 11:08 +0100, mj wrote:
> Hi Andrew and Rowland,
> Two replies, so quickly! I'm impressed :-)
> On 01/27/2017 10:47 AM, Andrew Bartlett via samba wrote:
> > And a very interesting one at that. I'm glad to see someone has
> > on some of the ADFS capability I hear folks ask for regularly.
> Yes I agree, keycloak is very cool.
> I have found the following samba bug report:
> Judging from the bugreport above, I should ask keycloak devs to
> the errorcode number (49) only, and act based on that.
That won't really work. We need to output something that matches
(".*AcceptSecurityContext error, data ([0-9a-f]*), v.*");
That just needs the windows error mapping of the
NT_STATUS_PWD_MUST_CHANGE code in 'data', which isn't hard to get.
> As the errorcode itself is identical, it should make things
> with both samba4 and MSAD.
> You agree with that analysis? Then I'll ask for it on the keycloak
I think this is a Samba fix. If they want to support old Samba,
watching for NT_STATUS_PWD_MUST_CHANGE would also work.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba