Hi, We are using keycloak with our samba-4.4.4 AD environment. (an ldaps client application) Keycloak is able to ask users to change their passwords, when the checkbox "require password change upon next logon" is set in ADUC. However, in our environment (samba-4.4.4) keycloak simply refuses the logons when tht checkbox is set. ("bad username or password") RedHat (who's behind keycloak) has tested and verified that with their AD environment, the user IS presented with a password change dialogue. So, it seems that samba behaves different than a true windows AD server. Running keycloak in debugmode, I can see that:> 2017-01-27 09:49:22,664 DEBUG > [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] > (default task-10) Authentication failed for DN > [CN=username,CN=Users,DC=samba,DC=company,DC=com]: > javax.naming.AuthenticationException: [LDAP: error code 49 - Simple > Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE]So, finally for the samba-related question: does anyone know if "password required to change" behaviour has perhaps changed between functional levels? Could this be the reason of the different behaviour between MSAD and samba-4.4.4?> root at dc4:~/samba4# samba-tool domain level show > ldb_wrap open of secrets.ldb > Domain and forest function level for domain 'DC=samba,DC=company,DC=com' > > Forest function level: (Windows) 2003 > Domain function level: (Windows) 2003 > Lowest function level of a DC: (Windows) 2008 R2 > root at dc4:~/samba4#Is it a risky operation to increase that level? From the docs I understand that samba-4.4.4 should be able to go all the way up to 2012_R2. (we have no trusts, just three samba DCs and windows clients) Suggestions, ideas what to look at to make password-change dialogues functional, just as in a MSAD? MJ
Rowland Penny
2017-Jan-27 09:46 UTC
[Samba] pwdLastSet, password required to change (samba vs MSAD)
On Fri, 27 Jan 2017 10:30:22 +0100 mj via samba <samba at lists.samba.org> wrote:> Hi, > > We are using keycloak with our samba-4.4.4 AD environment. (an ldaps > client application) > > Keycloak is able to ask users to change their passwords, when the > checkbox "require password change upon next logon" is set in ADUC. > > However, in our environment (samba-4.4.4) keycloak simply refuses the > logons when tht checkbox is set. ("bad username or password") > RedHat (who's behind keycloak) has tested and verified that with > their AD environment, the user IS presented with a password change > dialogue. > > So, it seems that samba behaves different than a true windows AD > server. > > Running keycloak in debugmode, I can see that: > > 2017-01-27 09:49:22,664 DEBUG > > [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] > > (default task-10) Authentication failed for DN > > [CN=username,CN=Users,DC=samba,DC=company,DC=com]: > > javax.naming.AuthenticationException: [LDAP: error code 49 - Simple > > Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE] > > So, finally for the samba-related question: does anyone know if > "password required to change" behaviour has perhaps changed between > functional levels? Could this be the reason of the different > behaviour between MSAD and samba-4.4.4? > > > root at dc4:~/samba4# samba-tool domain level show > > ldb_wrap open of secrets.ldb > > Domain and forest function level for domain > > 'DC=samba,DC=company,DC=com' > > > > Forest function level: (Windows) 2003 > > Domain function level: (Windows) 2003 > > Lowest function level of a DC: (Windows) 2008 R2 > > root at dc4:~/samba4# > > Is it a risky operation to increase that level? From the docs I > understand that samba-4.4.4 should be able to go all the way up to > 2012_R2. (we have no trusts, just three samba DCs and windows clients) > > Suggestions, ideas what to look at to make password-change dialogues > functional, just as in a MSAD? > > MJ >Try adding this to your DC smb.conf files: ldap server require strong auth = no Rowland
Andrew Bartlett
2017-Jan-27 09:47 UTC
[Samba] pwdLastSet, password required to change (samba vs MSAD)
On Fri, 2017-01-27 at 10:30 +0100, mj via samba wrote:> Hi, > > We are using keycloak with our samba-4.4.4 AD environment. (an ldaps > client application)And a very interesting one at that. I'm glad to see someone has taken on some of the ADFS capability I hear folks ask for regularly.> Keycloak is able to ask users to change their passwords, when the > checkbox "require password change upon next logon" is set in ADUC. > > However, in our environment (samba-4.4.4) keycloak simply refuses > the > logons when tht checkbox is set. ("bad username or password") > RedHat (who's behind keycloak) has tested and verified that with > their > AD environment, the user IS presented with a password change > dialogue. > > So, it seems that samba behaves different than a true windows AD > server.That isn't a total surprise, sadly. We are very close, but things like this do still come up from time to time.> Running keycloak in debugmode, I can see that: > > 2017-01-27 09:49:22,664 DEBUG > > [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] > > (default task-10) Authentication failed for DN > > [CN=username,CN=Users,DC=samba,DC=company,DC=com]: > > javax.naming.AuthenticationException: [LDAP: error code 49 - Simple > > Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE] > > So, finally for the samba-related question: does anyone know if > "password required to change" behaviour has perhaps changed between > functional levels? Could this be the reason of the different > behaviour > between MSAD and samba-4.4.4?No. Just a bug, present in all levels. We just don't allow a log in at all for a user with an expired password.> > root at dc4:~/samba4# samba-tool domain level show > > ldb_wrap open of secrets.ldb > > Domain and forest function level for domain > > 'DC=samba,DC=company,DC=com' > > > > Forest function level: (Windows) 2003 > > Domain function level: (Windows) 2003 > > Lowest function level of a DC: (Windows) 2008 R2 > > root at dc4:~/samba4# > > Is it a risky operation to increase that level? From the docs I > understand that samba-4.4.4 should be able to go all the way up to > 2012_R2. (we have no trusts, just three samba DCs and windows > clients)No, 2008_R2 is the maximum that has any support.> Suggestions, ideas what to look at to make password-change dialogues > functional, just as in a MSAD?At this point it needs code changes and regression tests to match. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Andrew Bartlett
2017-Jan-27 10:00 UTC
[Samba] pwdLastSet, password required to change (samba vs MSAD)
On Fri, 2017-01-27 at 09:46 +0000, Rowland Penny via samba wrote:> On Fri, 27 Jan 2017 10:30:22 +0100 > mj via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > We are using keycloak with our samba-4.4.4 AD environment. (an > > ldaps > > client application) > > > > Keycloak is able to ask users to change their passwords, when the > > checkbox "require password change upon next logon" is set in ADUC. > > > > However, in our environment (samba-4.4.4) keycloak simply refuses > > the > > logons when tht checkbox is set. ("bad username or password") > > RedHat (who's behind keycloak) has tested and verified that with > > their AD environment, the user IS presented with a password change > > dialogue. > > > > So, it seems that samba behaves different than a true windows AD > > server. > > > > Running keycloak in debugmode, I can see that: > > > 2017-01-27 09:49:22,664 DEBUG > > > [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] > > > (default task-10) Authentication failed for DN > > > [CN=username,CN=Users,DC=samba,DC=company,DC=com]: > > > javax.naming.AuthenticationException: [LDAP: error code 49 - > > > Simple > > > Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE] > > > > So, finally for the samba-related question: does anyone know if > > "password required to change" behaviour has perhaps changed > > between > > functional levels? Could this be the reason of the different > > behaviour between MSAD and samba-4.4.4? > > > > > root at dc4:~/samba4# samba-tool domain level show > > > ldb_wrap open of secrets.ldb > > > Domain and forest function level for domain > > > 'DC=samba,DC=company,DC=com' > > > > > > Forest function level: (Windows) 2003 > > > Domain function level: (Windows) 2003 > > > Lowest function level of a DC: (Windows) 2008 R2 > > > root at dc4:~/samba4# > > > > Is it a risky operation to increase that level? From the docs I > > understand that samba-4.4.4 should be able to go all the way up to > > 2012_R2. (we have no trusts, just three samba DCs and windows > > clients) > > > > Suggestions, ideas what to look at to make password-change > > dialogues > > functional, just as in a MSAD? > > > > MJ > > > > Try adding this to your DC smb.conf files: > > ldap server require strong auth = noThanks Rowland for the suggestion. In this case the client is already using ldaps, so simple binds are permitted. The issue is related to the layers that check the password, which do not have an exception for expired passwords, and treat all errors as 'failure'. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi Andrew and Rowland, Two replies, so quickly! I'm impressed :-) On 01/27/2017 10:47 AM, Andrew Bartlett via samba wrote: > And a very interesting one at that. I'm glad to see someone has taken > on some of the ADFS capability I hear folks ask for regularly. Yes I agree, keycloak is very cool. I have found the following samba bug report: https://bugzilla.samba.org/show_bug.cgi?id=9048 Judging from the bugreport above, I should ask keycloak devs to follow the errorcode number (49) only, and act based on that. As the errorcode itself is identical, it should make things compatible with both samba4 and MSAD. You agree with that analysis? Then I'll ask for it on the keycloak mailinglist. MJ
Reasonably Related Threads
- pwdLastSet, password required to change (samba vs MSAD)
- pwdLastSet, password required to change (samba vs MSAD)
- pwdLastSet, password required to change (samba vs MSAD)
- ldapsrv_do_call: Critical extension 1.2.840.113556.1.4.2066 is not known to this server
- Samba "pass" authentication to OpenID or SAML (external)