samba - Sep 2023 - Samba AD DC: users cannot change expired passwords

Now it becomes really interesting:
I just tested what happens when I set "the user must change the password 
on the next login". Then, on my Samba domain controller, I used

kinit <the user name>

and entered the current password. Surprisinlgy, I got the message from 
Kerberos

"Password for the user is expired. You must change it now."

And I can change the password! afterwards, when I go back to "Active 
Directory Users and Computers", the tick mark at "user must change 
password at next login" is gone. So at least Kerberos behaves totally 
correctly and the password is also changed correctly.

Tobias



On Mon, Sep 25, 2023 at 1:20?PM Kees van Vloten via samba 
<samba at lists.samba.org> wrote:


    Op 25-09-2023 om 11:54 schreef Pluess, Tobias via samba:
     >? ?Hi all,
     > I am running a Samba AD DC (version 4.18.6). It basically works
    very well.
     > However when testing, I found the following issue:
     >
     > I create a new user account in AD, provide an initial password
    and set
     > "user must change the password at the next login".
     > I have only a Windows 10 machine to test, so I am going to the
    Windows 10
     > machine and try to login with the newly created user account and
    initial
     > password. Windows then correctly display "the password is
    expired" and
     > provides a dialog to enter the new password. However when the new
    password
     > is entered and confirmed with "OK", I get again the message
"the
    password
     > is expired". No matter what, I cannot get around this message and
    the newly
     > created user is never able to log in.
     > Further, what is even more strange is, that I can even get the
    message
     > about the expired password when I enter something completely
    different than
     > the initial password. I can essentially enter anything, even a blank
     > password,? and get the message "the password is expired" and
I am
    never
     > able to change it.
     >
     > Only when I log in as the domain admin, I can reset the user's
    password.
     >
     > I already changed password history and min-password-age and so on
    to 0, but
     > it still does not yet work. However, luckily, users are able to
    change
     > their own password using ctrl+alt+delete. However, why does it
    not work
     > during login?
     >
     > I have already seen other people had similar issues on Windows
    10, but I
     > didn't find out if anybody ever found a solution to this problem.
     >
     > I am happy for any hints.
     >
     > Thanks,
     > best
     > Tobias
    I have experienced exactly the same issue (also on 4.18.6). Even with
    kinit on Linux you cannot change an expired password.

    - Kees.


    -- 
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/options/samba

On Mon, 25 Sep 2023 15:45:23 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:
> Now it becomes really interesting:
> I just tested what happens when I set "the user must change the
> password on the next login". Then, on my Samba domain controller, I
> used
> 
> kinit <the user name>
> 
> and entered the current password. Surprisinlgy, I got the message
> from Kerberos
> 
> "Password for the user is expired. You must change it now."
> 
> And I can change the password! afterwards, when I go back to "Active 
> Directory Users and Computers", the tick mark at "user must
change
> password at next login" is gone. So at least Kerberos behaves totally 
> correctly and the password is also changed correctly.
> 
> Tobias
> 
This is getting very confusing, for a start I received a post via the
samba mailing list that is supposed to come from Kees van Vloten, but
it is signed by Tobias ????????

There are three attributes in play here:

unicodePwd: This is where a users password is stored
pwdLastSet: This is set to '0' to force the user to change their
password
userAccountControl: This does many things, but one is that it can set
PASSWORD_EXPIRED if 8388608 is contained in the value set on this
attribute.

I am not sure what is going wrong here, but the only thing that I can
see that might be relevant to the 4.18.x series is a CVE that was added
at 4.18.1, see here for more details:

https://www.samba.org/samba/security/CVE-2023-0922.html

It might be relevant, but then it might not.

Is there anything in the event logs on the client or in the DCs logs
(you may need to turn up the loglevel) ?

Rowland