Joshua Kramer
2023-Dec-16 19:29 UTC
[Samba] Samba 4.19.2: "Unwilling to perform" password change
Hello All, I have a custom built version of Samba 4.19.2 running on Rocky Linux 9. When I attempt to change a password via LDAP, I get an error, "Unwilling to Perform". In Google searches I found that this is due to password complexity requirements. However, in my case, I get the error no matter how complex the password. Also, I have the following line in my smb.conf file: ldap server require strong auth = no The actual error I'm getting in the log: [2023/12/16 14:21:01.537051, 5] ../../lib/audit_logging/audit_logging.c:97(audit_log_human_text) DSDB Change [Add] at [Sat, 16 Dec 2023 14:21:01.536966 EST] status [Unwilling to perform] remote host [ipv4:192.168.4.60:59926] SID [S-1-5-21-2696128225-1306404786-1287425722-500] DN [cn=test_user_1,dc=noosphere,dc=as] attributes [cn [test_user_1] displayName [test_user_1] objectClass [user] [securityPrincipal] pwdLastSet [-1] sAMAccountName [test_user_1] unicodePwd [REDACTED SECRET ATTRIBUTE] userAccountControl [512] userPrincipalName [test_user_1]] [2023/12/16 14:21:01.537106, 5] ../../lib/audit_logging/audit_logging.c:97(audit_log_human_text) Password Change [Reset] at [Sat, 16 Dec 2023 14:21:01.537093 EST] status [Unwilling to perform] remote host [ipv4:192.168.4.60:59926] SID [S-1-5-21-2696128225-1306404786-1287425722-500] DN [cn=test_user_1,dc=noosphere,dc=as] {"timestamp": "2023-12-16T14:21:01.537196-0500", "type": "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 53, "status": "Unwilling to perform", "operation": "Add", "remoteAddress": "ipv4:192.168.4.60:59926", "performedAsSystem": false, "userSid": "S-1-5-21-2696128225-1306404786-1287425722-500", "dn": "cn=test_user_1,dc=noosphere,dc=as", "transactionId": "a8713402-da47-47b6-908c-89cccf67ec78", "sessionId": "2b12f218-4286-4015-90ad-ac20e15abd41", "attributes": {"cn": {"actions": [{"action": "add", "values": [{"value": "test_user_1"}]}]}, "displayName": {"actions": [{"action": "add", "values": [{"value": "test_user_1"}]}]}, "objectClass": {"actions": [{"action": "add", "values": [{"value": "user"}, {"value": "securityPrincipal"}]}]}, "pwdLastSet": {"actions": [{"action": "add", "values": [{"value": "-1"}]}]}, "sAMAccountName": {"actions": [{"action": "add", "values": [{"value": "test_user_1"}]}]}, "unicodePwd": {"actions": [{"action": "add", "redacted": true}]}, "userAccountControl": {"actions": [{"action": "add", "values": [{"value": "512"}]}]}, "userPrincipalName": {"actions": [{"action": "add", "values": [{"value": "test_user_1"}]}]}}}} {"timestamp": "2023-12-16T14:21:01.537315-0500", "type": "passwordChange", "passwordChange": {"version": {"major": 1, "minor": 1}, "eventId": 4724, "statusCode": 53, "status": "Unwilling to perform", "remoteAddress": "ipv4:192.168.4.60:59926", "userSid": "S-1-5-21-2696128225-1306404786-1287425722-500", "dn": "cn=test_user_1,dc=noosphere,dc=as", "action": "Reset", "transactionId": "a8713402-da47-47b6-908c-89cccf67ec78", "sessionId": "2b12f218-4286-4015-90ad-ac20e15abd41"}} [2023/12/16 14:21:01.537387, 5] ../../lib/audit_logging/audit_logging.c:97(audit_log_human_text) DSDB Transaction [rollback] at [Sat, 16 Dec 2023 14:21:01.537376 EST] duration [124049] {"timestamp": "2023-12-16T14:21:01.537404-0500", "type": "dsdbTransaction", "dsdbTransaction": {"version": {"major": 1, "minor": 0}, "action": "rollback", "transactionId": "a8713402-da47-47b6-908c-89cccf67ec78", "duration": 124049}} What could be causing this? Thanks! -JK
Rowland Penny
2023-Dec-16 20:28 UTC
[Samba] Samba 4.19.2: "Unwilling to perform" password change
On Sat, 16 Dec 2023 14:29:06 -0500 Joshua Kramer via samba <samba at lists.samba.org> wrote:> Hello All, > > I have a custom built version of Samba 4.19.2 running on Rocky Linux > 9. When I attempt to change a password via LDAP, I get an error, > "Unwilling to Perform". In Google searches I found that this is due > to password complexity requirements.The password complexity isn't the problem, the problem is that you cannot change the unicode password over ldap, you have to use ssl (ldaps). Rowland