[Samba] Samba AD DC: users cannot change expired passwords
abartlet at samba.org
Sun Oct 29 20:52:53 UTC 2023
On Fri, 2023-10-27 at 20:31 +0200, Kees van Vloten via samba wrote:
> Op 27-10-2023 om 11:49 schreef Rowland Penny via samba:
> > On Fri, 27 Oct 2023 10:44:51 +0200Kees van Vloten via samba <
> > samba at lists.samba.org> wrote:
> > > Hi Andrew,
> > > Op 27-10-2023 om 02:22 schreef Andrew Bartlett:
> > > > I'm sorry to say that from here you really need to work
> > > > closelywith a Samba developer (eg via a commercial support
> > > > provider) or doa deep dive into debugging yourself.
> > > > Ideally if you have time, do a git bisect between the last
> > > > knownworking version and the first failing one. That may find
> > > > theproblematic commit, which will make a fix and adding a
> > > > regressiontest much faster.
> > > If the statement (below) is that it should not work, then I don't
> > > seewhy it is worth an investigation. Can you clarify that?
> > > > I would note that we should never allow access over LDAP as a
> > > > userwho has an expired password, even with the intention to
> > > > change thepassword. Some other protocols (like kpasswd) should
> > > > allow accessonly to the password change service, and password
> > > > changes over SAMRcan be done as one user (eg a service user) to
> > > > change the passwordof another.
> > > I am not sure that it does not work on MS-AD because theself-
> > > service-password application has some options for this:
> > > # Active Directory mode# true: use unicodePwd as password field#
> > > false: LDAPv3 standard behavior$ad_mode = true;# Force account
> > > unlock when password is changed$ad_options['force_unlock'] =
> > > true;# Force user change password at next
> > > login$ad_options['force_pwd_change'] = false;# Allow user with
> > > expired password to change
> > > password$ad_options['change_expired_password'] = true;
> > > Why would there be an option 'change_expired_password' when this
> > > isnot a supported feature in AD?
> > > Since I have no MS-AD so cannot check it.
> > > - Kees.
> > Not answering for Andrew, but just wondering aloud :-)
> > Could it be that it changes the password in a different way if
> > thepassword has expired. In a similar way that 'samba-tool user'
> > has'password' and 'setpassword'.
> > Rowland
> I have been thinking during the day about this matter, after I
> replied to Andrew this morning.
> Although I am quite convinced I have seen it working in the past,
> looking at it and thinking about it now, convinces me more and more
> that that cannot be the case. It is quite illogical that, without a
> more privileged account (like with samba-tool user setpassword), that
> a user can login and change the password.
It is always possible that there was a bug, which is why I didn't
dismiss this out of hand. Sometimes we fix such things without
> That brings me to another point: it is hard to check because you need
> an expired account and when you change the password it is no longer
> expired so the test cannot be repeated.
> Is there a way I can set the expired flag (whatever that is) on
You can force accounts as 'must change at next login' which is much the
same thing, or use 'password setting objects' (fine grained password
policies) to set really short expiries.
> That would make it much easier to do repeated tests and make this
I agree. We do much this kind of thing in our testsuite.
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba