[Samba] pwdLastSet, password required to change (samba vs MSAD)

Andrew Bartlett abartlet at samba.org
Fri Jan 27 10:27:26 UTC 2017

On Fri, 2017-01-27 at 11:08 +0100, mj wrote:
> Hi Andrew and Rowland,
> Two replies, so quickly! I'm impressed :-)
> On 01/27/2017 10:47 AM, Andrew Bartlett via samba wrote:
>  > And a very interesting one at that.  I'm glad to see someone has
> taken
>  > on some of the ADFS capability I hear folks ask for regularly.
> Yes I agree, keycloak is very cool.
> I have found the following samba bug report:
> https://bugzilla.samba.org/show_bug.cgi?id=9048
> Judging from the bugreport above, I should ask keycloak devs to
> follow 
> the errorcode number (49) only, and act based on that.

That won't really work.  We need to output something that matches 
(".*AcceptSecurityContext error, data ([0-9a-f]*), v.*");


That just needs the windows error mapping of the
NT_STATUS_PWD_MUST_CHANGE code in 'data', which isn't hard to get. 

> As the errorcode itself is identical, it should make things
> compatible 
> with both samba4 and MSAD.
> You agree with that analysis? Then I'll ask for it on the keycloak 
> mailinglist.

I think this is a Samba fix.  If they want to support old Samba,
watching for NT_STATUS_PWD_MUST_CHANGE would also work.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list