Rowland Penny
2023-Oct-27 09:49 UTC
[Samba] Samba AD DC: users cannot change expired passwords
On Fri, 27 Oct 2023 10:44:51 +0200 Kees van Vloten via samba <samba at lists.samba.org> wrote:> Hi Andrew, > > Op 27-10-2023 om 02:22 schreef Andrew Bartlett: > > I'm sorry to say that from here you really need to work closely > > with a Samba developer (eg via a commercial support provider) or do > > a deep dive into debugging yourself. > > > > Ideally if you have time, do a git bisect between the last known > > working version and the first failing one. ?That may find the > > problematic commit, which will make a fix and adding a regression > > test much faster. > If the statement (below) is that it should not work, then I don't see > why it is worth an investigation. Can you clarify that? > > > > I would note that we should never allow access over LDAP as a user > > who has an expired password, even with the intention to change the > > password. ?Some other protocols (like kpasswd) should allow access > > only to the password change service, and password changes over SAMR > > can be done as one user (eg a service user) to change the password > > of another. > I am not sure that it does not work on MS-AD? because the > self-service-password application has some options for this: > > # Active Directory mode > # true: use unicodePwd as password field > # false: LDAPv3 standard behavior > $ad_mode = true; > # Force account unlock when password is changed > $ad_options['force_unlock'] = true; > # Force user change password at next login > $ad_options['force_pwd_change'] = false; > # Allow user with expired password to change password > $ad_options['change_expired_password'] = true; > > Why would there be an option 'change_expired_password' when this is > not a supported feature in AD? > > Since I have no MS-AD so cannot check it. > > - Kees.Not answering for Andrew, but just wondering aloud :-) Could it be that it changes the password in a different way if the password has expired. In a similar way that 'samba-tool user' has 'password' and 'setpassword'. Rowland
Kees van Vloten
2023-Oct-27 18:31 UTC
[Samba] Samba AD DC: users cannot change expired passwords
Op 27-10-2023 om 11:49 schreef Rowland Penny via samba:> On Fri, 27 Oct 2023 10:44:51 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Hi Andrew, >> >> Op 27-10-2023 om 02:22 schreef Andrew Bartlett: >>> I'm sorry to say that from here you really need to work closely >>> with a Samba developer (eg via a commercial support provider) or do >>> a deep dive into debugging yourself. >>> >>> Ideally if you have time, do a git bisect between the last known >>> working version and the first failing one. ?That may find the >>> problematic commit, which will make a fix and adding a regression >>> test much faster. >> If the statement (below) is that it should not work, then I don't see >> why it is worth an investigation. Can you clarify that? >>> I would note that we should never allow access over LDAP as a user >>> who has an expired password, even with the intention to change the >>> password. ?Some other protocols (like kpasswd) should allow access >>> only to the password change service, and password changes over SAMR >>> can be done as one user (eg a service user) to change the password >>> of another. >> I am not sure that it does not work on MS-AD? because the >> self-service-password application has some options for this: >> >> # Active Directory mode >> # true: use unicodePwd as password field >> # false: LDAPv3 standard behavior >> $ad_mode = true; >> # Force account unlock when password is changed >> $ad_options['force_unlock'] = true; >> # Force user change password at next login >> $ad_options['force_pwd_change'] = false; >> # Allow user with expired password to change password >> $ad_options['change_expired_password'] = true; >> >> Why would there be an option 'change_expired_password' when this is >> not a supported feature in AD? >> >> Since I have no MS-AD so cannot check it. >> >> - Kees. > Not answering for Andrew, but just wondering aloud :-) > > Could it be that it changes the password in a different way if the > password has expired. In a similar way that 'samba-tool user' has > 'password' and 'setpassword'. > > RowlandI have been thinking during the day about this matter, after I replied to Andrew this morning. Although I am quite convinced I have seen it working in the past, looking at it and thinking about it now, convinces me more and more that that cannot be the case. It is quite illogical that, without a more privileged account (like with samba-tool user setpassword), that a user can login and change the password. That brings me to another point: it is hard to check because you need an expired account and when you change the password it is no longer expired so the test cannot be repeated. Is there a way I can set the expired flag (whatever that is) on account? That would make it much easier to do repeated tests and make this work. - Kees.> >