samba - Sep 2023 - Samba AD DC: users cannot change expired passwords

On Mon, 25 Sep 2023 15:45:23 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:
> Now it becomes really interesting:
> I just tested what happens when I set "the user must change the
> password on the next login". Then, on my Samba domain controller, I
> used
> 
> kinit <the user name>
> 
> and entered the current password. Surprisinlgy, I got the message
> from Kerberos
> 
> "Password for the user is expired. You must change it now."
> 
> And I can change the password! afterwards, when I go back to "Active 
> Directory Users and Computers", the tick mark at "user must
change
> password at next login" is gone. So at least Kerberos behaves totally 
> correctly and the password is also changed correctly.
> 
> Tobias
> 
This is getting very confusing, for a start I received a post via the
samba mailing list that is supposed to come from Kees van Vloten, but
it is signed by Tobias ????????

There are three attributes in play here:

unicodePwd: This is where a users password is stored
pwdLastSet: This is set to '0' to force the user to change their
password
userAccountControl: This does many things, but one is that it can set
PASSWORD_EXPIRED if 8388608 is contained in the value set on this
attribute.

I am not sure what is going wrong here, but the only thing that I can
see that might be relevant to the 4.18.x series is a CVE that was added
at 4.18.1, see here for more details:

https://www.samba.org/samba/security/CVE-2023-0922.html

It might be relevant, but then it might not.

Is there anything in the event logs on the client or in the DCs logs
(you may need to turn up the loglevel) ?

Rowland

Op 25-09-2023 om 16:39 schreef Rowland Penny via samba:
> On Mon, 25 Sep 2023 15:45:23 +0200
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
>> Now it becomes really interesting:
>> I just tested what happens when I set "the user must change the
>> password on the next login". Then, on my Samba domain controller,
I
>> used
>>
>> kinit <the user name>
>>
>> and entered the current password. Surprisinlgy, I got the message
>> from Kerberos
>>
>> "Password for the user is expired. You must change it now."
>>
>> And I can change the password! afterwards, when I go back to
"Active
>> Directory Users and Computers", the tick mark at "user must
change
>> password at next login" is gone. So at least Kerberos behaves
totally
>> correctly and the password is also changed correctly.
>>
>> Tobias
>>
> This is getting very confusing, for a start I received a post via the
> samba mailing list that is supposed to come from Kees van Vloten, but
> it is signed by Tobias ????????
I can clarify that: I had a message from Tobias in my own mailbox which 
I forwarded to the list because I though Tobias forgot to do a reply-all 
or reply-list.

- Kees
> There are three attributes in play here:
>
> unicodePwd: This is where a users password is stored
> pwdLastSet: This is set to '0' to force the user to change their
> password
> userAccountControl: This does many things, but one is that it can set
> PASSWORD_EXPIRED if 8388608 is contained in the value set on this
> attribute.
>
> I am not sure what is going wrong here, but the only thing that I can
> see that might be relevant to the 4.18.x series is a CVE that was added
> at 4.18.1, see here for more details:
>
> https://www.samba.org/samba/security/CVE-2023-0922.html
>
> It might be relevant, but then it might not.
>
> Is there anything in the event logs on the client or in the DCs logs
> (you may need to turn up the loglevel) ?
>
> Rowland
>

Hi Rowland,

yes I also got this message that was from Kees but signed by me. I did not
send it. But I did send the very first message, though.
I just checked the logs on the DC. There is nothing relevant in there. I
cannot see any errors whatsoever.
The strange thing is:

When the password is expired, the user can, on the Windows 10 login page,
literally enter ANY password, and gets the message "your password is
expired" and when the user tries to change his password, no matter if the
correct or a random password is entered as the old password, the message
"password expired" appears again and the login is stuck in this
forever
loop unless "cancel" is clicked, which, of course, cancels the login.

So I checked every log file under /var/log/samba on my DCs (I have two off
them, dc0 and dc1, which are rsync'ed).
Let me know which config I shall change to increase the loglevel and I will
do that and post the logs here.

Thanks!
best
Tobias


On Mon, Sep 25, 2023 at 4:40?PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 25 Sep 2023 15:45:23 +0200
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
> > Now it becomes really interesting:
> > I just tested what happens when I set "the user must change the
> > password on the next login". Then, on my Samba domain controller,
I
> > used
> >
> > kinit <the user name>
> >
> > and entered the current password. Surprisinlgy, I got the message
> > from Kerberos
> >
> > "Password for the user is expired. You must change it now."
> >
> > And I can change the password! afterwards, when I go back to
"Active
> > Directory Users and Computers", the tick mark at "user must
change
> > password at next login" is gone. So at least Kerberos behaves
totally
> > correctly and the password is also changed correctly.
> >
> > Tobias
> >
>
> This is getting very confusing, for a start I received a post via the
> samba mailing list that is supposed to come from Kees van Vloten, but
> it is signed by Tobias ????????
>
> There are three attributes in play here:
>
> unicodePwd: This is where a users password is stored
> pwdLastSet: This is set to '0' to force the user to change their
> password
> userAccountControl: This does many things, but one is that it can set
> PASSWORD_EXPIRED if 8388608 is contained in the value set on this
> attribute.
>
> I am not sure what is going wrong here, but the only thing that I can
> see that might be relevant to the 4.18.x series is a CVE that was added
> at 4.18.1, see here for more details:
>
> https://www.samba.org/samba/security/CVE-2023-0922.html
>
> It might be relevant, but then it might not.
>
> Is there anything in the event logs on the client or in the DCs logs
> (you may need to turn up the loglevel) ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>