Bug 15655 - When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password
Summary: When claims enabled with heimdal kerberos, unable to log on to a Windows comp...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-31 08:39 UTC by Yohannès ALEMU
Modified: 2024-08-15 12:14 UTC (History)
2 users (show)

See Also:


Attachments
KO_bugzilla-heimdal-user-fast-changepasswd.pcap (3.38 KB, application/vnd.tcpdump.pcap)
2024-05-31 08:40 UTC, Yohannès ALEMU
no flags Details
OK_bugzilla-mit-user-fast-changepasswd.pcap (1.25 KB, application/vnd.tcpdump.pcap)
2024-05-31 08:41 UTC, Yohannès ALEMU
no flags Details
w2k19 fast change passwd (7.18 KB, application/octet-stream)
2024-06-06 08:13 UTC, Yohannès ALEMU
no flags Details
patch to not send an ntstatus value in the reply (1.03 KB, patch)
2024-06-12 02:45 UTC, Douglas Bagnall
no flags Details
patch for Samba 4.20 (29.16 KB, patch)
2024-07-01 01:44 UTC, Jennifer Sutton
jsutton: ci-passed+
Details
patch for Samba 4.19 (39.59 KB, patch)
2024-07-01 03:44 UTC, Jennifer Sutton
jsutton: ci-passed+
Details
patch v2 for Samba 4.20 (29.31 KB, patch)
2024-07-02 23:24 UTC, Jennifer Sutton
dbagnall: review+
jsutton: ci-passed+
Details
patch v2 for Samba 4.19 (39.86 KB, patch)
2024-07-02 23:24 UTC, Jennifer Sutton
dbagnall: review+
jsutton: ci-passed+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Yohannès ALEMU 2024-05-31 08:39:43 UTC
If using FAST with Heimdal Kerberos, and if a user password has expired, the user cannot change his own password from the Windows login screen because of the "insuccifient ressource" message that does not trigger the change password dialog screen.

We don't see this issue if Samba is compiled using MIT Kerberos (hence, no issue with Fedora Samba-AD package that are using MIT Kerberos instead of Heimdal).

Step to reproduce :
* Enable GPO "Kerberos client support for claims, compound authentication and Kerberos armoring" on a Windows client
* Force user to change password at next logon
Comment 1 Yohannès ALEMU 2024-05-31 08:40:52 UTC
Created attachment 18316 [details]
KO_bugzilla-heimdal-user-fast-changepasswd.pcap
Comment 2 Yohannès ALEMU 2024-05-31 08:41:10 UTC
Created attachment 18317 [details]
OK_bugzilla-mit-user-fast-changepasswd.pcap
Comment 3 Douglas Bagnall 2024-06-01 00:49:46 UTC
I think in the MIT case the client is not using FAST (I'm not an expert in this area, but the AS_REQ packet looks very different -- for a start, it is 311 bytes for MIT, 2136 for Heimdal).

Is it possible to get a similar pcap against Windows?
Comment 4 Yohannès ALEMU 2024-06-06 08:10:18 UTC
Hi Douglas,

Thanks for your answer. You are right, there seems to be also an issue with FAST on Samba-AD with MIT Kerberos (but a different one :-) ).

As per your request, I attached a similar pcap against a Windows MS-AD. 

PS : on MSAD, I see the krbtgt user have the msDS-SupportedEncryptionTypes to 0x50000 (flag FAST supported [1]) . I don't know if this is important  used by the client to enforce FAST on the client (in addition to the gpo).

Yohannès

[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/6cfc7b50-11ed-4b4d-846d-6f08f0812919
Comment 5 Yohannès ALEMU 2024-06-06 08:13:25 UTC
Created attachment 18328 [details]
w2k19 fast change passwd
Comment 6 Douglas Bagnall 2024-06-12 02:45:08 UTC
Created attachment 18334 [details]
patch to not send an ntstatus value in the reply

Are you able to compile with this patch and see if it makes a difference?
Comment 7 Yohannès ALEMU 2024-06-12 15:31:48 UTC
Great, it's good. Thank you Douglas !
Comment 8 Samba QA Contact 2024-06-27 05:34:04 UTC
This bug was referenced in samba master:

6dc6168719cf232ac2c1d747f10aad9b13300c02
c5ee0b60b20011aeaa60c2f549c2a78269c97c8f
fe90576871b5d644b9e888fd7a0b0351feaba750
Comment 9 Jennifer Sutton 2024-07-01 01:44:34 UTC
Created attachment 18358 [details]
patch for Samba 4.20
Comment 10 Jennifer Sutton 2024-07-01 03:44:22 UTC
Created attachment 18359 [details]
patch for Samba 4.19
Comment 11 Jennifer Sutton 2024-07-01 06:26:26 UTC
Comment on attachment 18359 [details]
patch for Samba 4.19

The CI failure was just an issue with the 4.19 release. The pipeline passes with that addressed.
Comment 12 Douglas Bagnall 2024-07-02 22:43:21 UTC
Comment on attachment 18358 [details]
patch for Samba 4.20

I think the extra patches should have the BUG: tag added.

It doesn't say so at https://wiki.samba.org/index.php/Samba_Release_Planning#Patch_Process but it looks like the convention might be to add the BUG: at the end either before or after the cherry-pick line.

Otherwise looks good.
Comment 13 Douglas Bagnall 2024-07-02 23:12:59 UTC
Comment on attachment 18359 [details]
patch for Samba 4.19

likewise this one looks good but could be improved by more BUG:s.
Comment 14 Jennifer Sutton 2024-07-02 23:24:09 UTC
Created attachment 18360 [details]
patch v2 for Samba 4.20
Comment 15 Jennifer Sutton 2024-07-02 23:24:33 UTC
Created attachment 18361 [details]
patch v2 for Samba 4.19
Comment 16 Douglas Bagnall 2024-07-02 23:29:55 UTC
For 4.19 and 4.20.
Comment 17 Jule Anger 2024-07-03 08:48:44 UTC
Pushed to autobuild-v4-{20,19}-test.
Comment 18 Samba QA Contact 2024-07-03 09:57:38 UTC
This bug was referenced in samba v4-19-test:

fc8beb134d247667d9c94900fed3761cd08b796d
a35edbb5302fd83ec24eb731d3078e7a3d064ce8
e65a4281c139b7d07560aad8963653b1eb6c70ea
9c64cd3f2e02f88ebd16c6785e0d1fa34926aebb
2102b619cf68ddcd3d9b3c4e4d6a3381966d4894
7cc2b7b0288684f0d5444293ecc2562cc94c407f
86034d86d98489bdde6777e1632b9deeddd3e414
2cf809bb1f3a6311d8f5e3ba745091e36ca9a943
Comment 19 Samba QA Contact 2024-07-03 10:07:03 UTC
This bug was referenced in samba v4-20-test:

4e57b8a5fe68427b844d94f79ea071f333107f6b
c1433f821f7c5f6ec3ce93c0c1d79c8a3f51fce1
50a417a2240f99b155fed436df32bf242e579f73
d4c1e215a9bd60c02f3450aa602725663d919d81
41c8a42c8ae8b89354ddaa02ea3d0035445d6b44
bff728a842fde296d70f5c993087b4e47794a98a
Comment 20 Jule Anger 2024-07-03 10:09:43 UTC
Closing out bug report.

Thanks!
Comment 21 Samba QA Contact 2024-08-02 12:14:45 UTC
This bug was referenced in samba v4-20-stable (Release samba-4.20.3):

4e57b8a5fe68427b844d94f79ea071f333107f6b
c1433f821f7c5f6ec3ce93c0c1d79c8a3f51fce1
50a417a2240f99b155fed436df32bf242e579f73
d4c1e215a9bd60c02f3450aa602725663d919d81
41c8a42c8ae8b89354ddaa02ea3d0035445d6b44
bff728a842fde296d70f5c993087b4e47794a98a
Comment 22 Samba QA Contact 2024-08-15 12:14:14 UTC
This bug was referenced in samba v4-19-stable (Release samba-4.19.8):

fc8beb134d247667d9c94900fed3761cd08b796d
a35edbb5302fd83ec24eb731d3078e7a3d064ce8
e65a4281c139b7d07560aad8963653b1eb6c70ea
9c64cd3f2e02f88ebd16c6785e0d1fa34926aebb
2102b619cf68ddcd3d9b3c4e4d6a3381966d4894
7cc2b7b0288684f0d5444293ecc2562cc94c407f
86034d86d98489bdde6777e1632b9deeddd3e414
2cf809bb1f3a6311d8f5e3ba745091e36ca9a943