Pluess, Tobias
2023-Sep-25 14:47 UTC
[Samba] Samba AD DC: users cannot change expired passwords
Hi Rowland, yes I also got this message that was from Kees but signed by me. I did not send it. But I did send the very first message, though. I just checked the logs on the DC. There is nothing relevant in there. I cannot see any errors whatsoever. The strange thing is: When the password is expired, the user can, on the Windows 10 login page, literally enter ANY password, and gets the message "your password is expired" and when the user tries to change his password, no matter if the correct or a random password is entered as the old password, the message "password expired" appears again and the login is stuck in this forever loop unless "cancel" is clicked, which, of course, cancels the login. So I checked every log file under /var/log/samba on my DCs (I have two off them, dc0 and dc1, which are rsync'ed). Let me know which config I shall change to increase the loglevel and I will do that and post the logs here. Thanks! best Tobias On Mon, Sep 25, 2023 at 4:40?PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 25 Sep 2023 15:45:23 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > > > Now it becomes really interesting: > > I just tested what happens when I set "the user must change the > > password on the next login". Then, on my Samba domain controller, I > > used > > > > kinit <the user name> > > > > and entered the current password. Surprisinlgy, I got the message > > from Kerberos > > > > "Password for the user is expired. You must change it now." > > > > And I can change the password! afterwards, when I go back to "Active > > Directory Users and Computers", the tick mark at "user must change > > password at next login" is gone. So at least Kerberos behaves totally > > correctly and the password is also changed correctly. > > > > Tobias > > > > This is getting very confusing, for a start I received a post via the > samba mailing list that is supposed to come from Kees van Vloten, but > it is signed by Tobias ???????? > > There are three attributes in play here: > > unicodePwd: This is where a users password is stored > pwdLastSet: This is set to '0' to force the user to change their > password > userAccountControl: This does many things, but one is that it can set > PASSWORD_EXPIRED if 8388608 is contained in the value set on this > attribute. > > I am not sure what is going wrong here, but the only thing that I can > see that might be relevant to the 4.18.x series is a CVE that was added > at 4.18.1, see here for more details: > > https://www.samba.org/samba/security/CVE-2023-0922.html > > It might be relevant, but then it might not. > > Is there anything in the event logs on the client or in the DCs logs > (you may need to turn up the loglevel) ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2023-Sep-25 15:16 UTC
[Samba] Samba AD DC: users cannot change expired passwords
On Mon, 25 Sep 2023 16:47:57 +0200 "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:> Hi Rowland, > > yes I also got this message that was from Kees but signed by me. I > did not send it. But I did send the very first message, though.It confused me no end, can I suggest that if anyone replies to a samba mailing list post, they just reply to the list, do not 'CC' anyone else and do not reply to anyone else. That way, anyone who is subscribed to the list will get the reply.> I just checked the logs on the DC. There is nothing relevant in > there. I cannot see any errors whatsoever. > The strange thing is: > > When the password is expired, the user can, on the Windows 10 login > page, literally enter ANY password, and gets the message "your > password is expired" and when the user tries to change his password, > no matter if the correct or a random password is entered as the old > password, the message "password expired" appears again and the login > is stuck in this forever loop unless "cancel" is clicked, which, of > course, cancels the login.I think that the password may or may not be changing, but either way, the other relevant attributes do not seem to be being reset. Note, this all guess work.> > So I checked every log file under /var/log/samba on my DCs (I have > two off them, dc0 and dc1, which are rsync'ed). > Let me know which config I shall change to increase the loglevel and > I will do that and post the logs here.Raising the loglevel on any Samba machine is fairly easy, you just add the very aptly named parameter 'log level' to the global part of the smb.conf , this should also point to a number, the higher the number, the bigger the log. For instance, add 'log level = 3' will make Samba log at level 3, you could try raising this number until something possibly 'pops' out, The maximum level I would go to would be 10, but beware, the logs at that level will be very large. You will also need to restart your DC after adding the parameter or changing the log level. Rowland