[Samba] pwdLastSet, password required to change (samba vs MSAD)
Andrew Bartlett
abartlet at samba.org
Fri Jan 27 10:27:26 UTC 2017
On Fri, 2017-01-27 at 11:08 +0100, mj wrote:
> Hi Andrew and Rowland,
>
> Two replies, so quickly! I'm impressed :-)
>
> On 01/27/2017 10:47 AM, Andrew Bartlett via samba wrote:
> > And a very interesting one at that. I'm glad to see someone has
> taken
> > on some of the ADFS capability I hear folks ask for regularly.
>
> Yes I agree, keycloak is very cool.
>
> I have found the following samba bug report:
> https://bugzilla.samba.org/show_bug.cgi?id=9048
>
> Judging from the bugreport above, I should ask keycloak devs to
> follow
> the errorcode number (49) only, and act based on that.
That won't really work. We need to output something that matches
(".*AcceptSecurityContext error, data ([0-9a-f]*), v.*");
https://github.com/keycloak/keycloak/blob/b2d1a1a17fc8f665f4ba83d62e3c2
2d4dfa0048a/federation/ldap/src/main/java/org/keycloak/storage/ldap/map
pers/msad/MSADUserAccountControlStorageMapper.java#L56
That just needs the windows error mapping of the
NT_STATUS_PWD_MUST_CHANGE code in 'data', which isn't hard to get.
> As the errorcode itself is identical, it should make things
> compatible
> with both samba4 and MSAD.
>
> You agree with that analysis? Then I'll ask for it on the keycloak
> mailinglist.
I think this is a Samba fix. If they want to support old Samba,
watching for NT_STATUS_PWD_MUST_CHANGE would also work.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list