samba - Oct 2023 - Samba AD DC: users cannot change expired passwords

Op 27-10-2023 om 11:49 schreef Rowland Penny via samba:
> On Fri, 27 Oct 2023 10:44:51 +0200
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
>> Hi Andrew,
>>
>> Op 27-10-2023 om 02:22 schreef Andrew Bartlett:
>>> I'm sorry to say that from here you really need to work closely
>>> with a Samba developer (eg via a commercial support provider) or do
>>> a deep dive into debugging yourself.
>>>
>>> Ideally if you have time, do a git bisect between the last known
>>> working version and the first failing one. ?That may find the
>>> problematic commit, which will make a fix and adding a regression
>>> test much faster.
>> If the statement (below) is that it should not work, then I don't
see
>> why it is worth an investigation. Can you clarify that?
>>> I would note that we should never allow access over LDAP as a user
>>> who has an expired password, even with the intention to change the
>>> password. ?Some other protocols (like kpasswd) should allow access
>>> only to the password change service, and password changes over SAMR
>>> can be done as one user (eg a service user) to change the password
>>> of another.
>> I am not sure that it does not work on MS-AD? because the
>> self-service-password application has some options for this:
>>
>> # Active Directory mode
>> # true: use unicodePwd as password field
>> # false: LDAPv3 standard behavior
>> $ad_mode = true;
>> # Force account unlock when password is changed
>> $ad_options['force_unlock'] = true;
>> # Force user change password at next login
>> $ad_options['force_pwd_change'] = false;
>> # Allow user with expired password to change password
>> $ad_options['change_expired_password'] = true;
>>
>> Why would there be an option 'change_expired_password' when
this is
>> not a supported feature in AD?
>>
>> Since I have no MS-AD so cannot check it.
>>
>> - Kees.
> Not answering for Andrew, but just wondering aloud :-)
>
> Could it be that it changes the password in a different way if the
> password has expired. In a similar way that 'samba-tool user' has
> 'password' and 'setpassword'.
>
> Rowland
I have been thinking during the day about this matter, after I replied 
to Andrew this morning.

Although I am quite convinced I have seen it working in the past, 
looking at it and thinking about it now, convinces me more and more that 
that cannot be the case. It is quite illogical that, without a more 
privileged account (like with samba-tool user setpassword), that a user 
can login and change the password.

That brings me to another point: it is hard to check because you need an 
expired account and when you change the password it is no longer expired 
so the test cannot be repeated.

Is there a way I can set the expired flag (whatever that is) on account?

That would make it much easier to do repeated tests and make this work.

- Kees.
>   
>

On Fri, 2023-10-27 at 20:31 +0200, Kees van Vloten via samba
wrote:
> Op 27-10-2023 om 11:49 schreef Rowland Penny via samba:
> > On Fri, 27 Oct 2023 10:44:51 +0200Kees van Vloten via samba <
> > samba at lists.samba.org> wrote:
> > > Hi Andrew,
> > > Op 27-10-2023 om 02:22 schreef Andrew Bartlett:
> > > > I'm sorry to say that from here you really need to work
> > > > closelywith a Samba developer (eg via a commercial support
> > > > provider) or doa deep dive into debugging yourself.
> > > > Ideally if you have time, do a git bisect between the last
> > > > knownworking version and the first failing one.  That may
find
> > > > theproblematic commit, which will make a fix and adding a
> > > > regressiontest much faster.
> > > If the statement (below) is that it should not work, then I
don't
> > > seewhy it is worth an investigation. Can you clarify that?
> > > > I would note that we should never allow access over LDAP as
a
> > > > userwho has an expired password, even with the intention to
> > > > change thepassword.  Some other protocols (like kpasswd)
should
> > > > allow accessonly to the password change service, and
password
> > > > changes over SAMRcan be done as one user (eg a service user)
to
> > > > change the passwordof another.
> > > I am not sure that it does not work on MS-AD  because theself-
> > > service-password application has some options for this:
> > > # Active Directory mode# true: use unicodePwd as password field#
> > > false: LDAPv3 standard behavior$ad_mode = true;# Force account
> > > unlock when password is
changed$ad_options['force_unlock'] > > > true;# Force user
change password at next
> > > login$ad_options['force_pwd_change'] = false;# Allow user
with
> > > expired password to change
> > > password$ad_options['change_expired_password'] = true;
> > > Why would there be an option 'change_expired_password'
when this
> > > isnot a supported feature in AD?
> > > Since I have no MS-AD so cannot check it.
> > > - Kees.
> > Not answering for Andrew, but just wondering aloud :-)
> > Could it be that it changes the password in a different way if
> > thepassword has expired. In a similar way that 'samba-tool
user'
> > has'password' and 'setpassword'.
> > Rowland
> 
> I have been thinking during the day about this matter, after I
> replied to Andrew this morning.
> Although I am quite convinced I have seen it working in the past,
> looking at it and thinking about it now, convinces me more and more
> that that cannot be the case. It is quite illogical that, without a
> more privileged account (like with samba-tool user setpassword), that
> a user can login and change the password.
It is always possible that there was a bug, which is why I didn't
dismiss this out of hand.  Sometimes we fix such things without
realising. 
> That brings me to another point: it is hard to check because you need
> an expired account and when you change the password it is no longer
> expired so the test cannot be repeated.
> Is there a way I can set the expired flag (whatever that is) on
> account?
You can force accounts as 'must change at next login' which is much the
same thing, or use 'password setting objects' (fine grained password
policies) to set really short expiries.
> That would make it much easier to do repeated tests and make this
> work.
I agree.  We do much this kind of thing in our testsuite. 
Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd


Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions