[Samba] Samba AD DC: users cannot change expired passwords
Kees van Vloten
keesvanvloten at gmail.com
Mon Sep 25 14:44:26 UTC 2023
Op 25-09-2023 om 16:39 schreef Rowland Penny via samba:
> On Mon, 25 Sep 2023 15:45:23 +0200
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>> Now it becomes really interesting:
>> I just tested what happens when I set "the user must change the
>> password on the next login". Then, on my Samba domain controller, I
>> kinit <the user name>
>> and entered the current password. Surprisinlgy, I got the message
>> from Kerberos
>> "Password for the user is expired. You must change it now."
>> And I can change the password! afterwards, when I go back to "Active
>> Directory Users and Computers", the tick mark at "user must change
>> password at next login" is gone. So at least Kerberos behaves totally
>> correctly and the password is also changed correctly.
> This is getting very confusing, for a start I received a post via the
> samba mailing list that is supposed to come from Kees van Vloten, but
> it is signed by Tobias ????????
I can clarify that: I had a message from Tobias in my own mailbox which
I forwarded to the list because I though Tobias forgot to do a reply-all
> There are three attributes in play here:
> unicodePwd: This is where a users password is stored
> pwdLastSet: This is set to '0' to force the user to change their
> userAccountControl: This does many things, but one is that it can set
> PASSWORD_EXPIRED if 8388608 is contained in the value set on this
> I am not sure what is going wrong here, but the only thing that I can
> see that might be relevant to the 4.18.x series is a CVE that was added
> at 4.18.1, see here for more details:
> It might be relevant, but then it might not.
> Is there anything in the event logs on the client or in the DCs logs
> (you may need to turn up the loglevel) ?
More information about the samba