samba - Jan 2017 - pwdLastSet, password required to change (samba vs MSAD)

Hi,

We are using keycloak with our samba-4.4.4 AD environment. (an ldaps 
client application)

Keycloak is able to ask users to change their passwords, when the 
checkbox "require password change upon next logon" is set in ADUC.

However, in our environment (samba-4.4.4) keycloak simply refuses the 
logons when tht checkbox is set. ("bad username or password")
RedHat (who's behind keycloak) has tested and verified that with their 
AD environment, the user IS presented with a password change dialogue.

So, it seems that samba behaves different than a true windows AD server.

Running keycloak in debugmode, I can see that:
> 2017-01-27 09:49:22,664 DEBUG
> [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager]
> (default task-10) Authentication failed for DN
> [CN=username,CN=Users,DC=samba,DC=company,DC=com]:
> javax.naming.AuthenticationException: [LDAP: error code 49 - Simple
> Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE]
So, finally for the samba-related question: does anyone know if 
"password required to change" behaviour has perhaps changed between 
functional levels? Could this be the reason of the different behaviour 
between MSAD and samba-4.4.4?
> root at dc4:~/samba4# samba-tool domain level show
> ldb_wrap open of secrets.ldb
> Domain and forest function level for domain
'DC=samba,DC=company,DC=com'
>
> Forest function level: (Windows) 2003
> Domain function level: (Windows) 2003
> Lowest function level of a DC: (Windows) 2008 R2
> root at dc4:~/samba4#
Is it a risky operation to increase that level? From the docs I 
understand that samba-4.4.4 should be able to go all the way up to 
2012_R2. (we have no trusts, just three samba DCs and windows clients)

Suggestions, ideas what to look at to make password-change dialogues 
functional, just as in a MSAD?

MJ

On Fri, 27 Jan 2017 10:30:22 +0100
mj via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> We are using keycloak with our samba-4.4.4 AD environment. (an ldaps 
> client application)
> 
> Keycloak is able to ask users to change their passwords, when the 
> checkbox "require password change upon next logon" is set in
ADUC.
> 
> However, in our environment (samba-4.4.4) keycloak simply refuses the 
> logons when tht checkbox is set. ("bad username or password")
> RedHat (who's behind keycloak) has tested and verified that with
> their AD environment, the user IS presented with a password change
> dialogue.
> 
> So, it seems that samba behaves different than a true windows AD
> server.
> 
> Running keycloak in debugmode, I can see that:
> > 2017-01-27 09:49:22,664 DEBUG
> > [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager]
> > (default task-10) Authentication failed for DN
> > [CN=username,CN=Users,DC=samba,DC=company,DC=com]:
> > javax.naming.AuthenticationException: [LDAP: error code 49 - Simple
> > Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE]
> 
> So, finally for the samba-related question: does anyone know if 
> "password required to change" behaviour has perhaps changed
between
> functional levels? Could this be the reason of the different
> behaviour between MSAD and samba-4.4.4?
> 
> > root at dc4:~/samba4# samba-tool domain level show
> > ldb_wrap open of secrets.ldb
> > Domain and forest function level for domain
> > 'DC=samba,DC=company,DC=com'
> >
> > Forest function level: (Windows) 2003
> > Domain function level: (Windows) 2003
> > Lowest function level of a DC: (Windows) 2008 R2
> > root at dc4:~/samba4#
> 
> Is it a risky operation to increase that level? From the docs I 
> understand that samba-4.4.4 should be able to go all the way up to 
> 2012_R2. (we have no trusts, just three samba DCs and windows clients)
> 
> Suggestions, ideas what to look at to make password-change dialogues 
> functional, just as in a MSAD?
> 
> MJ
> 
Try adding this to your DC smb.conf files:

ldap server require strong auth = no

Rowland

On Fri, 2017-01-27 at 10:30 +0100, mj via samba wrote:
> Hi,
> 
> We are using keycloak with our samba-4.4.4 AD environment. (an ldaps 
> client application)
And a very interesting one at that.  I'm glad to see someone has taken
on some of the ADFS capability I hear folks ask for regularly.
> Keycloak is able to ask users to change their passwords, when the 
> checkbox "require password change upon next logon" is set in
ADUC.
> 
> However, in our environment (samba-4.4.4) keycloak simply refuses
> the 
> logons when tht checkbox is set. ("bad username or password")
> RedHat (who's behind keycloak) has tested and verified that with
> their 
> AD environment, the user IS presented with a password change
> dialogue.
> 
> So, it seems that samba behaves different than a true windows AD
> server.
That isn't a total surprise, sadly.  We are very close, but things like
this do still come up from time to time.
> Running keycloak in debugmode, I can see that:
> > 2017-01-27 09:49:22,664 DEBUG
> > [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager]
> > (default task-10) Authentication failed for DN
> > [CN=username,CN=Users,DC=samba,DC=company,DC=com]:
> > javax.naming.AuthenticationException: [LDAP: error code 49 - Simple
> > Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE]
> 
> So, finally for the samba-related question: does anyone know if 
> "password required to change" behaviour has perhaps changed
between 
> functional levels? Could this be the reason of the different
> behaviour 
> between MSAD and samba-4.4.4?
No.  Just a bug, present in all levels.  We just don't allow a log in
at all for a user with an expired password. 
> > root at dc4:~/samba4# samba-tool domain level show
> > ldb_wrap open of secrets.ldb
> > Domain and forest function level for domain
> > 'DC=samba,DC=company,DC=com'
> > 
> > Forest function level: (Windows) 2003
> > Domain function level: (Windows) 2003
> > Lowest function level of a DC: (Windows) 2008 R2
> > root at dc4:~/samba4#
> 
> Is it a risky operation to increase that level? From the docs I 
> understand that samba-4.4.4 should be able to go all the way up to 
> 2012_R2. (we have no trusts, just three samba DCs and windows
> clients)
No, 2008_R2 is the maximum that has any support. 
> Suggestions, ideas what to look at to make password-change dialogues 
> functional, just as in a MSAD?
At this point it needs code changes and regression tests to match.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Fri, 2017-01-27 at 09:46 +0000, Rowland Penny via samba
wrote:
> On Fri, 27 Jan 2017 10:30:22 +0100
> mj via samba <samba at lists.samba.org> wrote:
> 
> > Hi,
> > 
> > We are using keycloak with our samba-4.4.4 AD environment. (an
> > ldaps 
> > client application)
> > 
> > Keycloak is able to ask users to change their passwords, when the 
> > checkbox "require password change upon next logon" is set in
ADUC.
> > 
> > However, in our environment (samba-4.4.4) keycloak simply refuses
> > the 
> > logons when tht checkbox is set. ("bad username or
password")
> > RedHat (who's behind keycloak) has tested and verified that with
> > their AD environment, the user IS presented with a password change
> > dialogue.
> > 
> > So, it seems that samba behaves different than a true windows AD
> > server.
> > 
> > Running keycloak in debugmode, I can see that:
> > > 2017-01-27 09:49:22,664 DEBUG
> > > [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager]
> > > (default task-10) Authentication failed for DN
> > > [CN=username,CN=Users,DC=samba,DC=company,DC=com]:
> > > javax.naming.AuthenticationException: [LDAP: error code 49 -
> > > Simple
> > > Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE]
> > 
> > So, finally for the samba-related question: does anyone know if 
> > "password required to change" behaviour has perhaps changed
> > between 
> > functional levels? Could this be the reason of the different
> > behaviour between MSAD and samba-4.4.4?
> > 
> > > root at dc4:~/samba4# samba-tool domain level show
> > > ldb_wrap open of secrets.ldb
> > > Domain and forest function level for domain
> > > 'DC=samba,DC=company,DC=com'
> > > 
> > > Forest function level: (Windows) 2003
> > > Domain function level: (Windows) 2003
> > > Lowest function level of a DC: (Windows) 2008 R2
> > > root at dc4:~/samba4#
> > 
> > Is it a risky operation to increase that level? From the docs I 
> > understand that samba-4.4.4 should be able to go all the way up to 
> > 2012_R2. (we have no trusts, just three samba DCs and windows
> > clients)
> > 
> > Suggestions, ideas what to look at to make password-change
> > dialogues 
> > functional, just as in a MSAD?
> > 
> > MJ
> > 
> 
> Try adding this to your DC smb.conf files:
> 
> ldap server require strong auth = no
Thanks Rowland for the suggestion.  In this case the client is already
using ldaps, so simple binds are permitted.  The issue is related to
the layers that check the password, which do not have an exception for
expired passwords, and treat all errors as 'failure'.

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hi Andrew and Rowland,

Two replies, so quickly! I'm impressed :-)

On 01/27/2017 10:47 AM, Andrew Bartlett via samba wrote:
 > And a very interesting one at that.  I'm glad to see someone has taken
 > on some of the ADFS capability I hear folks ask for regularly.

Yes I agree, keycloak is very cool.

I have found the following samba bug report:
https://bugzilla.samba.org/show_bug.cgi?id=9048

Judging from the bugreport above, I should ask keycloak devs to follow 
the errorcode number (49) only, and act based on that.

As the errorcode itself is identical, it should make things compatible 
with both samba4 and MSAD.

You agree with that analysis? Then I'll ask for it on the keycloak 
mailinglist.

MJ