Bug 15655 - When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password
Summary: When claims enabled with heimdal kerberos, unable to log on to a Windows comp...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2024-05-31 08:39 UTC by Yohannès ALEMU
Modified: 2024-06-18 02:57 UTC (History)
1 user (show)

See Also:

KO_bugzilla-heimdal-user-fast-changepasswd.pcap (3.38 KB, application/vnd.tcpdump.pcap)
2024-05-31 08:40 UTC, Yohannès ALEMU
no flags Details
OK_bugzilla-mit-user-fast-changepasswd.pcap (1.25 KB, application/vnd.tcpdump.pcap)
2024-05-31 08:41 UTC, Yohannès ALEMU
no flags Details
w2k19 fast change passwd (7.18 KB, application/octet-stream)
2024-06-06 08:13 UTC, Yohannès ALEMU
no flags Details
patch to not send an ntstatus value in the reply (1.03 KB, patch)
2024-06-12 02:45 UTC, Douglas Bagnall
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Yohannès ALEMU 2024-05-31 08:39:43 UTC
If using FAST with Heimdal Kerberos, and if a user password has expired, the user cannot change his own password from the Windows login screen because of the "insuccifient ressource" message that does not trigger the change password dialog screen.

We don't see this issue if Samba is compiled using MIT Kerberos (hence, no issue with Fedora Samba-AD package that are using MIT Kerberos instead of Heimdal).

Step to reproduce :
* Enable GPO "Kerberos client support for claims, compound authentication and Kerberos armoring" on a Windows client
* Force user to change password at next logon
Comment 1 Yohannès ALEMU 2024-05-31 08:40:52 UTC
Created attachment 18316 [details]
Comment 2 Yohannès ALEMU 2024-05-31 08:41:10 UTC
Created attachment 18317 [details]
Comment 3 Douglas Bagnall 2024-06-01 00:49:46 UTC
I think in the MIT case the client is not using FAST (I'm not an expert in this area, but the AS_REQ packet looks very different -- for a start, it is 311 bytes for MIT, 2136 for Heimdal).

Is it possible to get a similar pcap against Windows?
Comment 4 Yohannès ALEMU 2024-06-06 08:10:18 UTC
Hi Douglas,

Thanks for your answer. You are right, there seems to be also an issue with FAST on Samba-AD with MIT Kerberos (but a different one :-) ).

As per your request, I attached a similar pcap against a Windows MS-AD. 

PS : on MSAD, I see the krbtgt user have the msDS-SupportedEncryptionTypes to 0x50000 (flag FAST supported [1]) . I don't know if this is important  used by the client to enforce FAST on the client (in addition to the gpo).


[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/6cfc7b50-11ed-4b4d-846d-6f08f0812919
Comment 5 Yohannès ALEMU 2024-06-06 08:13:25 UTC
Created attachment 18328 [details]
w2k19 fast change passwd
Comment 6 Douglas Bagnall 2024-06-12 02:45:08 UTC
Created attachment 18334 [details]
patch to not send an ntstatus value in the reply

Are you able to compile with this patch and see if it makes a difference?
Comment 7 Yohannès ALEMU 2024-06-12 15:31:48 UTC
Great, it's good. Thank you Douglas !